These are often addresses created manually by 'click farmers' so they don't have obvious patterns which could enable an email service provider to identify them. (I'm still working on figuring out ways to detect this...)
Or, send spam to a new address via another service, then only use SESS to send to the ones who had opened or clicked on the other service. This is known as 'waterfalling'. Using this method, bounce rates can approach zero, and complaints/unsubscribes are likely to stay below 1% each - but make no mistake, ISPs can and will often still detect the email as spam.
You will need more complex ways to detect approaches like these, as well as other forms of spam/abuse. I would suggest starting with looking at thresholds for bounces, unsubscribes, and complaints independently - sometimes complaint rates of 0.1% can be a strong indicator of spam.
Related - don't limit your contractually-defined recourse to just SBUR rates. I would recommend including terms that allow you to ban or suspend users for any form of spam or abusive activity, "in the sole judgement of SESS.EMAIL" or similar. (I am not a lawyer and this is not legal advice.)
