The mechanism I use is ordered. All specific aliases are tried first and then it falls through to the catch-all forwarding rule.

So, it's a piece of cake to add "{random}@example.com" to the block list. Usually it's something like "[email protected]".