I do not have a "catch-all"; I have a single domain which I set up a separate email address for each correspondent, which I must manually add to /etc/aliases to accept mail at that address; anything send to an address not listed there will be rejected.

I do not think I ever received any spam.