There are a couple of services which allow you to administer your SMTP-stage filters, without having to administer the MTA. It's not for everybody.
- you're basically using a separate ISP for inbound email, so you'll have to pay for it. For someone with your level of incoming traffic, that might be a lot. - you do have to take responsibility for your own filtering decisions and blocking choices. It does help to understand CIDRs, whois, and DNSbls, etc. My provider has a "user-friendly menu", but to get the maximum benefit it helps to dive into the config file with vim - you'll probably have to ssh to the provider. - you either need to use your provider's email account, or else arrange to have them accept email for your domain, and also you have to point your MX at their MTA (once they've agreed to accept email for your domain) - and fer-cryin-out-loud, turn off any secondary MX records. The spammers will pound on them.
Years ago, I was gung-ho on procmail. Spam evolved, and email went from almost 100% sendmail to a gazillion different MTAs, with their own weird header conventions, which made things rather difficult for my procmail filter. My procmail filter's false-positive rate went up, as did its false-negative rate. I got an account at a provider as described above, and my incoming spam rate (the part that got through) went way down. Out of 780 blocked delivery attempts last month, the biggest catches were ...
Badly forged HELO = 119 No hostname = 377 Dynamic IP by rDNS regex = 143 Country by rDNS = 58
Walter Dnes; my email address is *ALMOST* like firstname.lastname@example.org Delete the "z" to get my real address. If that gets blocked, follow the instructions at the end of the 550 message.