EG, I'm not allowed to reject sessions from spew.spammer.com, even
if I know with certainty that the identifier is correct.
it's not clear how you can know this for certain from EHLO. you might
know it for certain by other means, such as if you had a IPsec or TLS
authenticated session. the point is that the EHLO identifier (more precisely,
the relationship between that identifier and the IP source address) really
isn't reliable enough to be used as the basis of any kind of filter.
to put it another way - nothing stops you from rejecting mail from
any host you want. but it's a violation of the protocol to use
the EHLO identifier to decide whether the mail is from a host that you
want to reject. the only ways to "know with certainty" that this is
from a particular host don't involve EHLO.