Maintaining state, so you can drop NDRs that arrive as a result of someone spoofing your domain/s.
What I'm doing is this:
- store a hash of From:, To: and Date: header of all outgoing mail
- accept all bounces that include From:, To: and Date: headers whose hash matches a stored hash
- remove stored hashes older than 4 days
This method does lead to rejection of valid bounces that don't include the above mentioned headers. However, I consider those bounces useless anyway.