I am in the unfortunate situation of owning and using a decade-old domain that's only three letters long. As far as spammers go, this seems to be ideal territory. For the past year or so, this domain has wound up as a wildcard domain on a spambot network. This means that my sole mailserver gets somewhere between 500,000 and 800,000 attempted spams every day -- to nonexistent accounts. This load comes to about 10 emails a second, 24/7/365.
One of the many nefarious techniques used by spammers is to cull usernames from many domains, then attempt to send mail to those usernames at other domains, hoping that those accounts also exist there. In my case, there are only about 25 legitimate email accounts, but looking at my mail logs, you'd think that there were hundreds of thousands of users getting mail at my domain. Just dealing with the "user unknown" bounces resulted in sendmail using over 30% of the system resources on a constant basis. The mail path through the server passed all email to MIMEDefang, which calls SpamAssassin and ClamAV for spam and virus filtering, and the sheer volume was overwhelming the server. Something had to be done.
First, I started by implementing greylisting on all mail coming into the server. Greylisting is a relatively new technique, and fairly draconian, but is also very effective. In a nutshell, all email is initially refused with an SMTP 451 "Please retry later" error response to any remote MTA trying to deliver email. A legitimate mailserver will do just that. Spammers don't, however, since retrying thousands and thousands of failed messages isn't worthwhile to them. So, any email sent to the server is delayed anywhere from 30 minutes to several hours, depending on the configuration of the sender's mailserver. Once the message is resent, it is accepted and routed appropriately. This is implemented as a sendmail milter called relaydelay. When a unique sender is seen, a record is added to a MySQL database with an insert and expiration timestamp, and catalogued as a tuple consisting of sender address, recipient address, and MTA relay IP address. If a tuple is seen again, the expiration is pushed back 45 days, and the mail is accepted. Further contact from that tuple is passed through with no delay. The 45 day counter starts over if another email is seen from that person within that timeframe.