There's a prolific spammer that registers a fresh new domain every day and sends out DKIM signed mail via changing IP addresses. Keeping a blacklist of sending domains and IP addresses is fairly useless after the fact.

However, the one constant is that the nameservers they use for the domains always have the same domain names, and since that domain is registered to the spammer it's unlikely to be used for anything legitimate.

Therefore it's trivial to block based on a lookup of the nameserver in Exim's acl_check_rcpt

deny    message = Domain is blacklisted here
        condition = ${if match{ \
           ${lookup dnsdb{>: ns=$sender_address_domain}}}{ns1.example.com} {yes}} 
	set acl_m_sender_nameservers = ${lookup dnsdb{>: ns=$sender_address_domain}}
	log_message = nameservers for $sender_address_domain: $acl_m_sender_nameservers