So,
The the exim4 + eximconfig configuration is pretty darn good about blocking spam ... but it's not quite 100%.
And ... bad bots, etc., have already started to pick up the @temp.balug.org list posting addresses - no surprise there, and I'm sure they'll likewise also pick up @lists.balug.org - and/or already have those addresses from earlier.
So ... fortunately has been quite low volume :-) ... but there has been some spam/UCE making it through exim4 + eximconfig to the list posting addresses (and then held for moderation as "post" from non-member). Have reviewed those, and ... heck no, haven't added 'em to Mailman's automatic rejection (that would be relatively uselessly "too late" (post-SMTP)) ... but did make some selective additions in the exim4 + eximconfig configuration.
Most notably, the wee bit 'o spam/UCE that had made it through to list posting addresses, seemed to fit roughly in 2 general categories (at least from that seen thus far):
Unsolicited Commercial Email (UCE) spam - from senders/businesses that might otherwise be/seem quite legitimate, but are sending email that's very much unsolicited, not confirmed opt-in, typically in violation of relevant regulations, etc. regarding anti-spam ... but they're sending anyway (they ought be hit by a clue-by-four). And also not a "Joe job" - someone/something impersonating an otherwise legitmate sender (spoofed). So ... for the few of those (I think about two thus far), I added their domains to be blocked by exim4 + eximconfig as spam.
And the others ... sufficiently well constructed to make it past the spam filters, but most likely fly-by-night spam operations - e.g. buy up some cheap or ultra-cheap domain, set up some DNS/email infrastructure, and ... start spamming. Not much to be done about those ... except, where they're yet another crud TLD I'd not already so added, added the TLD for explicit greylisting (e.g. TLD bid). That doesn't necessarily stop spam from those, but ends up thwarting a quite large percentage of them - while also letting through any (theoretical) legitimate email - without too much additional burden/delay on sender (e.g. one would think .xzy is utter cr*p, ... but I know of one person that legitimately has and uses such a domain ... perhaps not at all for email, but ... at least hypothetically). So ... all those "crud" domains ... (and spammy country code TLDs, etc.), generally inclined to treat 'em with additional scrutiny (notably also adding greylisting), but not absolutely outright block/reject 'em. Also, might not / probably wouldn't be a good idea, but could also add additional layer of requiring callouts on those too ... but that could be a bad thing - even for such highly suspect domains - so not even seriously considering it at this time.
I might also do some blanket adding of "crud" TLDs for additional checks (notably greylisting). So far I've based it upon what eximconfig gave as default starting point, plus some adjustments notably for those I've never seen send a legitimate email but I see (notably elsewhere) sending plenty of spam (enough for me to recall and groan about thinking of the TLD, without even looking over spam collection details/stats).
Oh, random bit - I did see a very small percentage of list subscriber addresses that do callouts (as evidenced in the logs).
And also, mailman has pretty good logs ... I don't have to worry too much about "oh, I just deleted all those spam emails ... what if I wanted to add some more anti-spam measure at SMTP time for them?" ... not an issue - can find most relevant bits about those held for moderation of post attempt from non-member in the mailman logs - at least for some reasonable period.