EG, I'm not allowed to reject sessions from spew.spammer.com, even
if I know with certainty that the identifier is correct.
it's not clear how you can know this for certain from EHLO. you might
know it for certain by other means, such as if you had a IPsec or TLS
authenticated session. the point is that the EHLO identifier (more precisely,
the relationship between that identifier and the IP source address) really
isn't reliable enough to be used as the basis of any kind of filter.
to put it another way - nothing stops you from rejecting mail from
any host you want. but it's a violation of the protocol to use
the EHLO identifier to decide whether the mail is from a host that you
want to reject. the only ways to "know with certainty" that this is
from a particular host don't involve EHLO.
We have ample experience that says trying to match up the argument to EHLO with
IP address information in any way isn't sufficiently reliable. That's why
this is specifically prohibited.
But I don't think this generalizes. We had a recent case where a large ISP was
being inundated with bogus messages. (I don't know if this was DOS attack or
merely spam.) The messages were coming from a variety of different addresses on
a variety of different networks. But the one thing they all had in common was
that they had the exact same domain listed as their EHLO argument. The ISP
actually went to the trouble of contacting the owner of this domain name and
was informed that the owner would under no circumstances actually use it as an
argument to EHLO.
Of course a block in such a case will only work for as long as it takes the
people sending the messages to realize what's going on and work around it. But
do you really think it is wrong to impose a temporary block of this one
argument value in this specific case?