While I haven't received spam at my new email address, I just realized how futile it will be for me to try and stop it. My sister just sent me a "****** wants to talk to you" message that's apparently automatically generated by Microsoft Messenger or a Web site affiliated with it. Between that, evites, ecards, and tons of other "give us an email address and we'll let you annoy someone" systems, there's no way I can avoid having my new email address being sold. I'll be inundated eventually. I just wonder how long it will take.
Changing email addresses and obscuring your address is the equivalent of taking the long way to school to avoid the bully. It might save your ass getting kicked, but it doesn't solve the problem.
Plenty of spammers use dictionary attacks. You're thinking like a productively paranoid programmer. The point of spam is not to make sure all of the messages reach their intended destinations. The point of spam is to make sure enough reaches any destination that someone will buy the product.
The only user-level customizations I've done are: 1) auto-predjudice all mail containing microsoft executables as spam; 2) told it I only read english language/locales; and 3) whitelisted two addresses (but one is my mom).
My only behaviour I've needed to change is: saving false-negative spam into a folder so I can regularly feed it to 'sa-learn' to improve the bayes network.
Setup on the server was a piece of cake. The only real choice I had to make was whether to run it at user-level, or as a system daemon. I'm running the daemonized version, directly hooked into my MTA (exim; though it works just as well with sendmail and qmail). I didn't have to install any separate RBL-checking (which is built in) or tools like Virpul's Razor (which is an option, but I decided took too long to process each message). It takes 40 seconds realtime to pass an email through, but adds almost no server load (with 10 active users on the server). I think it spends most of its time waiting for results from the RBLs.
