If spam has made it far enough that it's actually reached your personal instance of procmail,
then there's been a problem earlier in the chain. Procmail rulesets should be a last resort,
and they should only be asked to deal with minor issues that aren't dealt with via earlier rulesets.
The first line of defense are your perimeter routers. They should implement BCP 38, they
should block bogons, and they should bidirectionally deny all traffic to/from the Spamhaus
DROP list. In addition, they should block inbound port 25 traffic from everywhere on the
planet that
you don't
need email from. In other words; the fact that someone
in country X wants to email you is unimportant
unless you actually wish to receive
mail from them. Yes, this is a reversal of default-permit, for a simple reason: default-permit
for SMTP stopped being reasonable around 2000. Use
http://www.ipdeny.com/ to pick
up the ranges per-country and only permit what you need. (Obviously a major research
university can't do this. But Joe's Furniture, which does not have customers in Peru or
Pakistan or Greece, can.)
Then use blacklists, the best defense against spam we've ever developed. (Source:
30+ years of email experience) Spamhaus's Zen blacklist is a good one with a low
FP rate and a tolerable FN rate. Augment these with local blacklists based on domains
and network allocations. Augment those with as much blocking of generic hostnames
and dynamic IP space as possible: real mail servers have real hostnames and are
on static addresses.
Then enforce RFC requirements: sending host must have rDNS, that PTR must
resolve, what it resolves to should be the sending host's IP. Sending host must
HELO as FQDN or bracketed dotted-quad; if FQDN, must resolve. Sending host
must not send traffic pre-greeting. And so on. Enforcing these DOES mean
occasionally you block mail sent by non-spamming entities: but since they are
incompetent non-spamming entities, why would you want mail from them?
Add greylisting. It'll handle a lot of annoying hosts that haven't learned to retry yet.
Rate-limit based on normative values for your site. For example: if analysis of a year's
worth of mail logs shows that during that time you never received more than 10 messages
a day from ANY host, then rate-limit at 30 or 40. You'll never hit in normal practice;
but if you get hammered by a fast-sending host, you'll blunt the attack. Note that
these don't have to be perfect to work: provided you send deferrals (SMTP response
codes 4xx) instead of refusals (5xx) the worst that happens is that you will
mistakenly impose a delay.
There's more -- it's possible to get quite crafty about this. But note that NONE of
these measures pay any attention to content. There's a reason for that: spammers
can defeat content-based measures at will. They won't have it so easy with these.
Deployed in production in various setups ranging from a dozen to eight million
users, these steps yield a FP rate of about 10e-6 to 10e-7 and a FN rate around
10e-5 to 10e-6. Tuning helps, of course: initial rates can be higher but log analysis (which
all sensible postmasters do) readily brings them down. If you have the luxury of
running your own mail server just for yourself, then you can REALLY tune this
setup: you should be able to get the FN rate down to 10e-7 after a few months.