You really can't, at least not effectively. While you can block inbound traffic by IP address, either a single IP or range of IPs, using ACLs, that won't stop all SPAM. If you know for a fact that you will never need to receive e-mails from certain regions, you can block all IP addresses from those regions. Managing that can be a pain, however. For example, all IP addresses beginning with 61 originate in China so blocking 61.0.0.0/8 works nicely, IP addresses beginning with 151 are scattered all over the globe so blocking 151.0.0.0/8 may very well block legitimate inbound e-mail.
You can use ACLs to just block port 25 traffic inbound from whatever IP ranges you wish, but managing that at the router level is going to be a nightmare. Then of course you have the issue of false positives to deal with.
If you want to block spam before it even hits your Exchange server, you'll need some sort of dedicated SPAM filter in front of it that you route all port 25 traffic through. Then, as you identify blocks of IP addresses that are spamming you you can more easily add those IP ranges to the SPAM filter. Barracuda makes a passable one but there are dozens if not hundreds of others. Adding IP ranges to one of the SPAM filter appliances is much easier than trying to manually edit ACLs on a router. (And if you've ever edited an ACL without removing it from the interface first and turned the router into a paperweight you know what I'm talking about here.) The other advantage of using a hardware SPAM filter is that you can set it up to store spammed e-mails so that false positives can be released to the recipient. Many will allow you to release a false positive and whitelist the sender (by e-mail address, IP address, e-mail domain, etc) at the same time.