As spammers are getting more and more intelligent, differentiating spam and legitimate e-mail becomes more difficult, too. Technically, you may be able to do this in the future (given software patents are abolished and popular frameworks for countering spam actually become free) using SPF (Sender Policy Framework),
which, simply put, registers all sending MTAs for a given domain in that domain's DNS records, so you can trivially check if you're getting the message from a MTA that actually is authorized to send e-mail with return path from that domain. However, right now, there is a shadow of doubt over whether this will ever become a real standard that everyone will follow (of course, that would be beautiful).
The company I work for at the moment (Mimecast) does all of this. http://mail2.mimecast.co.za/mimecast/click?code=6e1851b5400f7786639a08bd7bd8 1caf We use Greylisting, Reputation Management, SPF, RBL's, Challenge Response, and NO QUARANTINES. We donated our work on the Java libs for SPF to the Opensource community (can be found at Sourceforge), because the database and anti-virus engines we use are Opensource. SPF, coupled with Greylisting and RBL's is a GREAT way to manage spam. On the 2nd of May (when sober.o hit) our customers went through huge greylist rejection increases. One customer went from circa 5000 rejections on average per day to 25000 rejections on the 2nd alone. Not one of these virus laden messages actually had to be scanned by Clam as we reject prior to the smtp data command. Our product is not free, but it also does not cost a fortune. Barry