[Exim] Very anoying virus behavior

One of the things I've noticed about this latest email worm is that it
seems to be doing a namelist attack. Looking at my logs, I'm getting
hundreds of hits to nonexistant names. Occasionally it finds a valid
one, which is rejected by exiscan rule.

Anyway, rather than waste my mail servers time and bandwidth, I was
thinking along the lines of processing the logs looking for the pattern,
and adding a firewall rule to drop the host. Has anyone done that already or
working on something like this? Greylisting doesn't seem like it would work as
this worm does multiple tries.

Maybe a "infected by worm" DNSBL would work. Of course due to the
wonderful security of Windows and typical clueless users, this just may
end up being half the internet.