There's a bunch of spam making it through my filters that fills in the X-Authentication-Warning and/or X-Mailer headers with gibberish. It's pretty hard to make use of X-Mailer for filtering this stuff, as the known good values are many, but X-Authentication-Warning should really only have a few different kinds of values. So I wrote this sieve rule today, and it's already cut down on my spam quite a bit:

if exists "X-Authentication-Warning" {
  if not header :contains "X-Authentication-Warning"
                          ["set sender to", "owned process"] {
    fileinto "/home/ted/Mail/spam/maybe";
    stop;
  }
}