drastic solution
I took a more aggressive approach using iptables, geoip and home-brew daemons.
I made a list of countries that my clients don't do business with, and block port 25 for just those for most of the day. (ukraine, brazil, india, vietnam etc...)
At night the filters are lifted for an hour to allow any legitimate queued mail to be received.
Then the usual first line filters are used as normal:
zen.spamhaus.org, - rejecting anything from a known residential ip address.
bl.spamcop.net - next check
spf milter
dkim, dk
own dnsbl created from received spam, spamtrap addresses -> direct to spamcop
mailscanner - spamassassin and other rules...
high scoring -> direct to spamcop
borderline -> holding folder for queue reinsertion
Mail attempts, pop3 abuse/scanning caught with a syslog extension that adds to iptables ban list, creates a report and mails ip abuse history to the ISP responsible
I also made bind dns server geo aware, so that mail senders in bad countries get served an MX record of 127.0.0.1, which is also quite effective. Unlike iptables, this doesn't throw out the baby with the bathwater. Only problem is that managing 200 different views of x domains is heavy on memory, and needs a database to remember combinations of what domains give what MX records depending on a query's origin.
Spam is now virtually non-existent.