Do you have any evidence that these spammers have MTAs which send without waiting for a banner message? Or are you just saying that they have a shorter-than-average connection timeout?
I can set my MTA to not show a login banner for, say, ten minutes. I won't get much spam. But I won't get much legitimate email either.
Evidence? Observation of the qpsmtpd log, maintenance
of a local database and experimentation with the delay.
Observation of the logs shows how long the spamming
hosts wait before 'blurting'. I don't have data on
'shorter-than-average' connection timeout,
I didn't think averaging would be helpful.
I haven't observed legitimate stuff (potentially) losing out
with earlytalker set to less than 15secs. Currently I have
two legitimate areas that fall foul with short timeouts.
Adaptec dot com and the getsatisfaction dot com organisation
that runs the emails for the ClamAV for Windows cloud-based
A/V forum. If I need to talk to Adaptec I have to reduce the
120secs. The getsatisfaction hosts seem unwilling to raise
their existing timeout setting so none of the associated forum
stuff gets delivered unless I reduce my earlytalker setting.
Your forum, Charlie, and that of the associated bugzilla
properly waits for my own SMTP greeting before sending.
Legitimate MTAs properly wait. Spamming hosts don't.
Spamming hosts have very low timeouts to maximise
their income from their funding spammers.
It's up to your own local criteria to establish the extent.
If ten minutes loses you legitimate emails then don't set it for
ten minutes. I have found two minutes to be more than ample,
65+ seconds pretty much loses the vast majority of (spamming)
transaction attempts.
I have established to my satisfaction that all traffic accurately
assessed to be crud attempts to be transacted from MTAs
that are set to tolerate little or no delay with SMTP greeting.
Locally... 15sec stops most spam, 65secs stops almost all
spam and 120sec stops all of it. Be aware that legitimate
emails from low timeout MTAs may be affected. However
as I keep an eye on the logs I am certain to see this
quite rare occurrence and take appropriate action.
YMMV
PostEdit: typo: insert (spamming)
...vast majority of (spamming) transaction attempts.