Over on the Google Enterprise Blog, they recently posted the following with regards to some new features:
(1) Our spam protection continues to evolve, this time with NDR (non-delivery receipt) filter improvements. Administrators can now more precisely deal with NDR attacks which includes the ability to distinguish between legitimate and spam NDR messages and set rules that bypass the NDR filter.
(2) Customers who route their outbound mail through our datacenters greatly benefit from this next enhancement. We've observed that customers' mail servers can send volumes of junk messages, which in most cases are generated when servers are inadvertently configured as an open relay and used by spammers. This creates a number of problems, including the DNS "blacklisting" of the outbound server. Our outbound mail processing now includes spam scanning. This reduces DNS blocking issues and helps raise awareness of possible mail server security issues.
With regards to point (1), backscatter has become one of the big issues that we have had to deal with this year. It's such a big problem that I wrote an 18-part series on it earlier this summer. Google's blog post is a little ambiguous about what technique they are using to detect NDRs. The best technique would be Bounce Address Tag Validation, but it doesn't look like it's doing it. More than likely, they are probably using something like "Check to see if you sent it in the first place." The reason I say this is because with BATV, you wouldn't need to bypass the NDR filter; I suspect that they have some global policy (or custom spam) rules that reject all mail for NDRs. In order to use either of the techniques I mention, you have to use the hosted service for outbound mail. If you do use it for outbound, then smart NDR blocking comes into play.
With regards to point (2), outbound spam filtering is a feature that we first started looking into a year ago. Outbound spam has since become the bane of my existence. I notice that Postini is simply scanning outbound mail for spam; they don't say in the blog post what they are doing with it.
I have consistently taken the position that you cannot treat inbound mail the same as outbound mail. In a hosted service, the most common option for inbound spam is to quarantine it. For outbound spam, what do you do with it? For spam, no big deal, but for false positives, you definitely want to avoid non-delivery of legitimate mail. Ultimately, you do have to do something with outbound spam; you don't want to deliver it, but the risk is that if you do, you can get blocklisted by third parties. The pain of dealing with that is also a headache. But at least Postini is doing something, even though I don't know what it is.