I'd like to setup a Challenge-Response filter (like spamarrest) on my server. Are there any good packages out there (open source preferably)?

Unfortunately I believe the Challenge-Response system is a failed model. Many users are reluctant to verify anything via email these days, especially a link asking them to allow emails from the sender.

In reference to your example above, I do believe there were some UCE issues with Spam Arrest and their users a couple of years ago. I think that is when the whole concept failed.

In that case, what other options exist to improve spam filtering while keeping false positives to a minimum? My spamassasin setup is thourouly trained (over 10,000 spam/ham).

We've implemented Greylisting using relaydelay and the results have been awesome! The premise is that a properly configured mail server will obey a TEMPFAIL and resend the mail. A large bulk of the mass-blast email programs or zombies out there don't respect TEMPFAIL and never resend. All valid mailservers do. Also the network load now is put back on the sender instead of our server. The downside is until the email address is known and remembered by the system, there is a half hour delay (configurable) on new senders. You can whitelist ISPs, IPs, or mailservers, though.

Since we implemented, it's killed about 90% of our spam. After the relaydelay we pass to spamassassin & clamav. We've not lost 1 single piece of valid email in the six months since we implemented.

Hope this helps,
Burner

I think maildelay may not be such a hot idea.
FWIW many spammers dont use PC's and they do have the capability to resend if the receive SMTP unavailable.

Having said that the true drawback of maildelay is the damage it can cause to legitimate mail use by delaying and eventually causing multiple message delivery