If you're on Unix, use procmail, a general purpose mail filtering package. You can find more info on it at http://www.ii.com/internet/robots/procmail/. Another good place to find information on Procmail is at http://www.iki.fi/~era/procmail/links.html.
If you're on Windows or Macintosh, see if you can find a mail client which will do filtering for you. Better yet, ask your ISP if they can filter your mail for you so that you don't have to download spam only to have it filtered.
RFC 822 is an official Internet document which describes all the standard headers. There are of course many non-standard headers which are inserted by some mail programs. Some of those are merely a strong hint that a message is spam, others only under certain circumstances, and some are only added by bulk e-mail programs.
Here are a few examples that are frequently brought up:
X-Mailer: Pegasusthe information here is bogus and the message was sent using one of the broken bulk e-mail programs.
Since more and more LANs are running Windows NT on their servers, they have MTAs that aren't quite as configurable as sendmail, so it may be more difficult to filter out unwanted spams.
A way around this is to set up a UNIX box to handle e-mail, and create an MX record pointing to it in the DNS database for that domain so that all e-mail gets sent to the UNIX box, which can filter out spam with procmail, sendmail, or whatever, and then pass it on to the LAN.
If you are trying to keep costs down, I would recommend that you check out Linux, a free version of UNIX that runs on 386/486/Pentium systems.
Another alternative would be to investigate the possibility of getting the Realtime Blackhole List.
Blocking a domain is a serious step, and can generally only be done by the sysadmin. It involves configuring one's router to ignore any and all TCP/IP packets from a given network, regardless of type. This means they can't even browse your website. See IDP. An automated method for doing this is by joining the Realtime Blackhole List, which has proven effective in keeping spam down on the sites that have joined it. More information can be found at http://mail-abuse.org/rbl.
Your administrator could also configure their MTA (mail transport agent) to refuse mail from a spammer's site. This is not 100% effective, because the spammers can route their mail via an innocent third party's server. More and more sites are disabling the relay feature from their servers, though, making it harder for the spammers to get through.
Another step some administrators take is to block a site by way of Procmail, which can filter mail by the IP address of the originating site (provided this information is present in the message headers).
Usenet Death Penalty. This is used only in the most extreme of cases where NNTP servers are configured to refuse any and all postings coming from a certain system. This happened to Prodigy in September of 1995 due to them refusing to take action against phone sex spammers. When they started nuking the accounts, the UDP was lifted.
UDP also stands for User Datagram Protocol, part of the TCP/IP protocol suite, so the use of this acronym can be a bit confusing; however, it is usually possible to determine which one is being used from the context.
Internet Death Penalty. Used when a site refuses to do anything about abuse coming from them. What happens is that other sites will refuse connections of any sort coming from this site. The premise behind this is that users on that site will start complaining to their system administrators and the sysadmins will have to deal with their spammer problems or lose customers.
IDPs are less common today, having been replaced by The RBL instead.
Plussed addresses are available for UNIX boxes running newer versions of sendmail. You can add a plus sign and any string you want after the username and before the '@' and the mail will still be delivered properly. For instance, email@example.com will reach me just fine.
However, before you attempt to use plussed addresses in your e-mail, I would suggest trying to e-mail yourself with a plussed address to make sure your ISP supports them.
In terms of catching spammers, I have "firstname.lastname@example.org" on my anti-virus homepage and NOWHERE else. I got a spam to that address about something that had nothing to do with viruses so it _really_ served to prove that spammers don't check their lists. Also, it proves that they look for 'mailto:' links.
Furthermore, if you start getting lots of spams to a plussed address (maybe after posting to Usenet with it), you can easily write a procmail recipe to dump all mail to that address to /dev/null.