So,
The the exim4 + eximconfig configuration is pretty darn good about blocking spam ... but it's not quite 100%.
And ... bad bots, etc., have already started to pick up the @temp.balug.org list posting addresses - no surprise there, and I'm sure they'll likewise also pick up @lists.balug.org - and/or already have those addresses from earlier.
So ... fortunately has been quite low volume :-) ... but there has been some spam/UCE making it through exim4 + eximconfig to the list posting addresses (and then held for moderation as "post" from non-member). Have reviewed those, and ... heck no, haven't added 'em to Mailman's automatic rejection (that would be relatively uselessly "too late" (post-SMTP)) ... but did make some selective additions in the exim4 + eximconfig configuration.
Most notably, the wee bit 'o spam/UCE that had made it through to list posting addresses, seemed to fit roughly in 2 general categories (at least from that seen thus far):
Unsolicited Commercial Email (UCE) spam - from senders/businesses that might otherwise be/seem quite legitimate, but are sending email that's very much unsolicited, not confirmed opt-in, typically in violation of relevant regulations, etc. regarding anti-spam ... but they're sending anyway (they ought be hit by a clue-by-four). And also not a "Joe job" - someone/something impersonating an otherwise legitmate sender (spoofed). So ... for the few of those (I think about two thus far), I added their domains to be blocked by exim4 + eximconfig as spam.
And the others ... sufficiently well constructed to make it past the spam filters, but most likely fly-by-night spam operations - e.g. buy up some cheap or ultra-cheap domain, set up some DNS/email infrastructure, and ... start spamming. Not much to be done about those ... except, where they're yet another crud TLD I'd not already so added, added the TLD for explicit greylisting (e.g. TLD bid). That doesn't necessarily stop spam from those, but ends up thwarting a quite large percentage of them - while also letting through any (theoretical) legitimate email - without too much additional burden/delay on sender (e.g. one would think .xzy is utter cr*p, ... but I know of one person that legitimately has and uses such a domain ... perhaps not at all for email, but ... at least hypothetically). So ... all those "crud" domains ... (and spammy country code TLDs, etc.), generally inclined to treat 'em with additional scrutiny (notably also adding greylisting), but not absolutely outright block/reject 'em. Also, might not / probably wouldn't be a good idea, but could also add additional layer of requiring callouts on those too ... but that could be a bad thing - even for such highly suspect domains - so not even seriously considering it at this time.
I might also do some blanket adding of "crud" TLDs for additional checks (notably greylisting). So far I've based it upon what eximconfig gave as default starting point, plus some adjustments notably for those I've never seen send a legitimate email but I see (notably elsewhere) sending plenty of spam (enough for me to recall and groan about thinking of the TLD, without even looking over spam collection details/stats).
Oh, random bit - I did see a very small percentage of list subscriber addresses that do callouts (as evidenced in the logs).
And also, mailman has pretty good logs ... I don't have to worry too much about "oh, I just deleted all those spam emails ... what if I wanted to add some more anti-spam measure at SMTP time for them?" ... not an issue - can find most relevant bits about those held for moderation of post attempt from non-member in the mailman logs - at least for some reasonable period.
Quoting Michael Paoli (Michael.Paoli@cal.berkeley.edu):
The the exim4 + eximconfig configuration is pretty darn good about blocking spam ... but it's not quite 100%.
You can't get very close to 100%. Doing so would work you as the admin ragged, probably increase server load a lot (depending on how you did it), and risk creating a (greater) false positive problem. One of my rules for living is 'If you find yourself trying to outwork bots, you're solving the wrong problem.'
The nice thing about attempting to block particular patterns via Exim4 rulesets in contrast to spamd (SpamAssassin) ones is that they don't chew up machine resources (RAM, CPU) as much as does the big, slow Perl daemon that is spamd. OTOH, SpamAssassin regexes are awfully expressive and convenient. As a rough rule of thumb, I try to use Exim4 tricks to reject 90+% of the attempted spam/junkmail/malware deliveries, and spamd to sort out the remainder. Basically, Exim-level processing does the heavy lifting. spamd does cleanup.
At some potential cost in false positives, as I'm sure you are aware.
Ideally, those domains' legitimate operators would signal their legitimate mail sender IPs using SPF or (ugh!) DMARC. But as we know, adoption of antiforgery technology will never be 100%, nor 100% correct.
Excellent idea.
Greylisting works wonders because the spammers' motto is 'We do it stupidly, but we make it up in volume.' So, e.g., typically their bots never follow up on SMTP 45x tempfails. Why bother? There's a whole Internet full of target IPs to move on to.
Most new ICANN-blessed TLDs seem to originate zero legitimate mail, and are used only for spam. Somewhere I read a study about that, probably one I noticed cited on NANOG.
There's this, for starters: https://www.spamhaus.org/statistics/tlds/
Just the other day, I got legit mail from a .law domain, from my late mother's estate and trusts law firm -- but that was a rare exception. Most of the new ones seem to be so close to 100% junk for SMTP that you could justifiably add an Exim4 rule hardfailing everything purporting to come from them, and you could _definitely_ greylist those.
The gentler but higher-cost in RAM/CPU approach would be to create a spamd rule adding (say) 2.0 to spamicity for all such highly suspect TLDs.
About callouts: A few years ago, I mentioned the excellence of the EximConfig callouts (formerly named callbacks) on Linux Users of Victoria (Australia) main mailing list, and immediately drew operatic objection from one guy, who claimed that the existence of callout sessions in his MTA logs from linuxmafia.com meant that I was 'DoSing' him, and (IIRC) threatened to list linuxmafia.com on a DNSBL. I vaguely recall that one such DNSBL exists.
I attempted to placate the gentleman by pointing out that Exim4 with the EximConfig rules doesn't do a callout _every_ time a claimed sender domain is in arriving mail's envelope headers. It caches results from prior callouts and uses those. As you can imagine, he did not regard this as sufficiently pure in approximating his notion of Right and Just Behaviour, and I was left with attempting to politely agree to disagree (which of course doesn't always work well on the Internet, either).
Antispam is a difficult topic to discuss on LUG mailing lists, because it tends to draw perspective-challenged cranks and monomanacs. Also, famously, antispam drives many people deeply associated with it more than a little cranky and perhaps drives them a little around the bend. I know SMTP operators who've made what they allege to be a measured decision to use (IIRC) BGP rules to null-route all traffic arriving from ASNs corresponding to all of China, Korea, and Africa. Which strikes me as breathtakingly judgemental, but Views Differ.[tm]
Oh, random bit - I did see a very small percentage of list subscriber addresses that do callouts (as evidenced in the logs).
Yep, it's quietly becoming more common -- quietly because, if you talk about doing it, even if you mention very infrequent occurrence on account of using caching, 1/3 of the time there'll be someone who claims you're a Bad Person who's DoSing everyone.
Log analysis of the Exim4 and Mailman logfiles is definitely your friend.