Been there and done that. I just LOVE this sort of thing.
The bottom line is that you need to balance performance, faslse positives and false negeatives.
Unfortunately the right balance will be different for each customer, but luckily SpamDyke can handle that for you without too much hassle.
The only blacklists which you can safely use at the smtp level is the spamhaus list (e.g. zen). Even then you might experience problems from time to time, but these are manageable.
Personally I don't want to waste cpu cycles on spammers. This means filtering as much at the smtp level as I can. This starts with blocking IPs with no rdns and blocking everything on the zen list, both via spamdyke. No exceptions, unless a customer has a problem receiving from a legitimate sender with misconfigured email server, in which case we're willing to whitelist that sender.
After this, I use customer-domain-level options. For my own domains, I block all sorts of things that might normally be prone to false positives. For example rdns that does not forward resolve to an IP, and email "from" domains with no MX records (this is quite false-positive prone - even email from big "names" fail this test when they use subdomains for outgoing email (e.g. firstname.lastname@example.org
) but no such subdomains for incoming (e.g. domain.tld).
Next I add the spamcop list, sorbs list* and barracuda list and for a complete block on my domains (not recommended for customers! * stopped using sorbs -- got fed up with it after it got sold).
Actual customers do have the option to use my "strong" options if they want basically no spam but plenty of false positives, or they can use the normal option which moves spamcop, barracuda, hostkarma, and several other blacklists to the Spamassassin scoring system, as well as disabling no MX, forward resolving, and a few other things.
We also whitelist certain things both in SpamAssassin and Spamdyke (different things usually). Such whitelisting woul normally be asking for trouble (e.g. if you were to whitelist all AOL or MSN addresses in SpamAssassin you'd be up to your eyeballs in various Nigerian 419s), but so far our combinations, which change from time to time, seem to be doing the trick.
Actually we've found the 419s to be the hardest to deal with because they are usually sent via legit senders, and can only be filtered by their content.