We've been hit a few times by spammers the last time we had 500,000 email
sent through us. We had to implement a solution based on Post.Office. This
worked fine as we restricted it to our local domains and IP addresses. Then
an enterprising spammer started to spoof our IP addresses.
What we had to do was modify our main BGP routers to block incoming packets
with one of our IP addresses as the source,
! filter incoming with your source address
acc 101 deny ip your.net.ip.0 0.0.0.255 0.0.0.0 255.255.255.255
You can also block incoming packets with RFC reserved internal addresses as
a source address.
So far we've haven't been relayed again.