The basic idea behind postscreen(8)

Most email is spam, and most spam is sent out by zombies (malware on compromised end-user computers). Wietse expects that the zombie problem will get worse before things improve, if ever. Without a tool like postscreen(8) that keeps the zombies away, Postfix would be spending most of its resources not receiving email.

The main challenge for postscreen(8) is to make an is-it-a-zombie decision based on a single measurement. This is necessary because many zombies try to fly under the radar and avoid spamming the same site repeatedly. Once postscreen(8) decides that a client is not-a-zombie, it whitelists the client temporarily to avoid further delays for legitimate mail.

Zombies have challenges too: they have only a limited amount of time to deliver spam before their IP address becomes blacklisted. To speed up spam deliveries, zombies make compromises in their SMTP protocol implementation. For example, they speak before their turn, or they ignore responses from SMTP servers and continue sending mail even when the server tells them to go away.

postscreen(8) uses a variety of measurements to recognize zombies. First, postscreen(8) determines if the remote SMTP client IP address is blacklisted. Second, postscreen(8) looks for protocol compromises that are made to speed up delivery. These are good indicators for making is-it-a-zombie decisions based on single measurements.

postscreen(8) does not inspect message content. Message content can vary from one delivery to the next, especially with clients that (also) send legitimate email. Content is not a good indicator for making is-it-a-zombie decisions based on single measurements, and that is the problem that postscreen(8) is focused on.

http://www.postfix.org/POSTSCREEN_README.html