A few weeks back some botnet started running a new spam method. They are performing RCPT flooding, i.e. one email with 100 receipients (random names from a list, same domain). At first I set up an increasing delay (below the TCP timeout) for each RCPT, causing the bots being kept busy for several hours.
Then I switched to a filter rule which responds with an error after a few failed RCPTs. Around last weekend there was an aggressive classic SPAM compaign.