There is a MOS knowledge article which gives a simple answer:
How to Restrict Number of Emails Sent Per-user by Using a MeterMaid ? (Doc ID 1542987.1)
And this one also includes a pointer to the docs:
Metermaid Appears to be Counting Invalid Recipient Addresses Multiple Times (Doc ID 1569500.1)
There are a couple of interesting options available in CommSuite.
After you get that up and running per the MOS article, you can set a few mappings so that you use the auth username as criteria to count in Metermaid, since this will always be the same for each SMTP AUTH username used, even if the bad actor rotates through forged MAIL FROMs.
To count MAIL FROMs you can use a mapping like the below in FROM ACCESS.
throttle_sender_ssl,$4]$N421$ Too$ many$ messages$ from$ this$ sender.$ Please$ try$ again$ later.
To count RCPT TO and still store the auth username in Metermaid, I had to first set the USE_AUTH_RETURN MTA option to 2 so that a SEND ACCESS mapping would reference the SMTP AUTH username. Then set a mapping like the below in SEND ACCESS
throttle_recipient_ssl,$1]$N421$ Too$ many$ messages$ from$ this$ sender.$ Please$ try$ again$ later.
I also set some tcp_submit channel options to hopefully inconvenience the bad actors.
I found it pretty effective to have both the per-connection settings on the channel and the "per time frame" settings leveraged by Metermaid.