There's very few occasions where it's worth blocking by sender or envelope address or domain. I only do it where there's a persistent problem with an actual sender who's unlikely to morph. Most of my blocks are by sending server or IP range, aimed at ESPs and "bulletproofs" who think that abuse from their network is perfectly acceptable. The HAT Says No.
Having said that, if you're going to go after the problem at that level then you will have to do your diligence first, and keep evidence that the block was merited. Diligence means checking over the suggested host name or IP range to see who else uses it, and evidence means keeping copies of not one but multiple abuses to substantiate your action. My own selectively pruned Abuse store runs to 940Mb for a relatively small collection of 2,000 private recipients, and if you are providing a service to the public or other organisations then data protection regulations may limit what you can retain.
Diligence checks will also turn up cases where it turns out that the sender has a significant output of genuine mail, and in those cases you'll have to sharpen your aim or try a different tactic.
However, the biggest problem is going to be the time needed to do all of this, which is probably why you may want to limit any action to the sort of specific "problem" sender I mentioned above and leave the mainstream spam handling to the Greymail feature, URL filtering or the spam reporting plug-in. For dealing with the small number of "individual" cases I maintain custom dictionaries of both hosts and sender addresses then have content rules operate on that. You can double up with both "grey" and "black" dictionaries, where a hit on one merely notes or quarantines a mail and a hit on another goes straight to a drop action, which of course makes the mail irretrievable.
