Found this in our mail server logs:
relay=OWNED.HACKED.BITE.ME [IP removed], reject=550 5.7.1 No mail accepted from known spam hosts or exploited systems
This was a connection we rejected because the sending IP was on the Spamhaus XBL list of exploited systems. (Everything from reject on is the error message we returned.) Apparently whoever wrote the spam tool decided to advertise that fact when sending mail.