for untrusted clients, require at least one ASCII letter in the helo/ehlo argument, unless it's an address-literal. this rejects helo 192.168.1.1 among others. It still accepts the legal form helo [192.168.1.1] but that's not what spammers send. I've been running with this change overnight with no problems.