Back when I first setup this domain I configured a catch-all email address so that I could simply make up a unique email address on the fly when one was required for website registrations and similar uses. This has become unworkable as a few months ago someone started to use my domain in the from addresses which meant that all the bounce messages (not picked up by SpamAssassin) came to me, in the hundreds.
At one point (before I did some analysis and found out that most of the messages used different addresses) I considered changig the mail server config so these addresses were dropped. This accounts to a default permit policy which is the first of six dumb security ideas.
So what have I done? First I extracted all of the addresses that were used to send me the emails that I have retained, about 70 all up but a number of those are questionable, and created forwarding rules so that mesages send to these addresses will be forwarded on. Eventually I will remove the catch-all which will mean all of the unwanted emails will be dropped but in the interim I changed the catch-all to be my gmail account (that I never really used) so I can be sure I didn’t miss any addresses.
This does mean that I will need to create a new forwarding rule whenever I make up a new address but in the greater scheme I don’t do that very often and that small inconvenice will be overweighed by the huge reduction in the amount of spam I need to deal with.