Once qmail-smtpd has started, filters can use the message envelope and data to trigger more filter rules. Some of the filters require patching the filter code into qmail-queue, while others can use the QMAILQUEUE patch to run the filters on the incoming message before queueing it for delivery.
The three most useful checks in the daemon itself are MAIL FROM rejection, RCPT TO rejection, and Windows EXE virus rejection.
The standard qmail control file badmailfrom lists addresses and domains to reject as MAIL FROM arguments. The addresses are listed literally, domains preceded by @, so an address email@example.com is rejected if either firstname.lastname@example.org or @example.com appears. The rejection actually happens at subsequent RCPT commands because it's clearer to some SMTP clients that the mail can't be delivered.
I wrote a "badrcptto" patch, available at qmail.org, that lets you list recipient addresses to reject by putting them in badrcptto or morebadcptto, which is compiled into morebadrcptto.cdb by the new program qmail-newbrt. It only lists addresses; the way to reject recipient domains is to not put them in rcpthosts. The rejections happen after the DATA command to deter dictionary validation attacks. (Typical dictionary attacks start by trying a garbage address or two, in order to see whether the recipient MTA rejects them, and if they're not rejected, the attacker goes away.) The main point of badrcptto is one of efficiency. ...