Just had the joy of having to deal with the backscatter of a spam run with addresses from my domains (nonexistent boxes though) as sender. And while my Mimedefang setup is reasonably sophisticated, that run actually showed yet another minor loophole.
Minor as in "nothing bad happens that affects the public" but not minor otherwise: I got postmaster-bounces of every single "thanks for your bounce of the spam, but there is no such address here anyway". About 200 of them every few minutes.
Well, no longer. Mimedefang now fully checks whether cyrus boxes exist before letting sendmail get its greedy paws on the stuff. Still, the effort necessary to keep the assholes out but the good mail arriving at the same time is quite annoying.