You're right, it is a pain.  I am in the same boat as well.  I too use a backup mail server, provided by another entity, which means that I can't deploy my same SpamFilter settings on that mail server.  And as you mentioned, by all of the mail coming in from that i.p. as the final stop along the route, several blacklists are rendered ineffective for that email.  Also, I think you were eluding that when email comes from that backup mail server that it can cause problems with false positives with SPF checks.

I definitely hear you on all of that.  If there were a way to specify a "relay list", then perhaps SpamFilter could treat those backup server i.p.s transparently - as if they were not forwarding the message at all.  But ignore that for now - That I know of, there are two routes you can go:

Keep the backup mail server

• Use your keywords blacklist, with ScanReceivedHeaders set to "1" so that you can blacklist major-offending i.p.s that appear somewhere in the stack of spam received headers from those messages (sounds like you're already doing this)
• Add bogus MX records to your DNS - with a lower precedence level (like 90) then any of your legitimate mail servers.  Some spammers will attack only your lowest-precedent mail server -  assuming that it may have the lowest level of filtering protection - and then give up.  Some spammers follow the RFC guidelines and actually attempt your mail servers in proper order.  And some just try 'em all .  In any case, it seems to have reduced some of the spam otherwise coming from my backup; but it's not a full & perfect solution - you will still get plenty of spam.
  

Use a medium grade machine at home as a backup:

• So you don't have the resources to shell out thousands of dollars for the sole purpose of a backup mail server; maybe a standard machine at home might help (then again, as mentioned before, some spammers prefer the backups - increasing the load on those machines that are intended to rarely be active).
• Obviously, if this home machine has identical rules as your primary mail server, any message that passes one would have passed the other; therefore, you can whitelist your home address's i.p. as it forwards mail to your primary.
  
• You'd have to figure out what to do with your quarantine.  You probably would not be excited to have you or your users sifting through two web interfaces instead of one.  Perhaps if you allow your existing database to be accessed over the internet, you can have your backup mail server connect and upload data to your database, hopefully without exposing a security hole.
  

I too am in scenario #1, and am contemplating jumping to #2.  As an aside, does anyone have experience with having two SpamFilter installations connect to a central database?  If so, does it work like a peach?  What database do you use?

See, I answer questions so I can ask them.  I'm just selfish that way.

Stephen 

Stephen,

"As an aside, does anyone have experience with having two SpamFilter installations connect to a central database?  If so, does it work like a peach?  What database do you use?"

I have several servers connecting to a single MS-SQL server with ZERO issues.

Edited by Desperado