so, i finally had an hour to look at the massive crap mail attack.
it looks to me as if i could stop the vast majority of it by
enabling exim's option to check the dns of the sending host.
verify = sender/<options>
This condition is relevant only after a MAIL or RCPT command, or
after a message has been received (the acl_smtp_data or
acl_not_smtp ACLs). If the message's sender is empty (that is,
this is a bounce message), the condition is true. Otherwise, the
sender address is verified.
For non-local addresses, routing verifies the domain, but is
unable to do any checking of the local part. There are situations
where some means of verifying the local part is desirable. One way
this can be done is to make an SMTP callback to the sending host
(for a sender address) or a callforward to a subsequent host (for
a recipient address), to see if the host accepts the address. We
use the term callout to cover both cases. This facility should be
used with care, because it can add a lot of resource usage to the
cost of verifying an address. However, Exim does cache the results
of callouts, which helps to reduce the cost. Details are in the
next section.
A successful callout does not guarantee that a real delivery to
the address would succeed; on the other hand, a failing callout
does guarantee that it would fail.
If the callout option is present on a condition that verifies an
address, a second stage of verification occurs if the address is
successfully routed to one or more remote hosts. The usual case is
routing by a dnslookup or a manualroute router, where the router
specifies the hosts. However, if a router that does not set up
hosts routes to an smtp transport with a hosts setting, the
transport's hosts are used. If an smtp transport transport has
hosts_override set, its hosts are always used, whether or not the
router supplies a host list.
but this could reject a LOT of mail
randy