Lazy network operators - NOT

Maybe a stupid question... But if broadband providers aren't going to do
this, and considering there are way less legitimate SMTP senders than
broadband users, wouldn't it make more sense to whitelist known real SMTP
sources rather than blacklist all addresses that potentially have a fake

that's not a stupid question, and you're right that statistically it's better
engineering to make a small list of good things than large lists of bad ones.
IETF MARID, my own MAIL-FROM, somebody's SPF, yahoo's "domainkeys", and lots
of other people are working on what amounts to "a whitelisting solution", and
in a few more years you might actually see some results along those lines.

We've had to do that here, simply to keep our own local antispam efforts
from inadvertently blacklisting "legit" mail servers. So far, with
relatively meager traffic over a year, I have a list of ~1300 legit mail
servers I want to block but can't, due to their assumed legit-to-spam
mail ratios, and another list of ~13,000 from whom I no longer accept
null sender mail because they accept-then-bounce to forged senders.

I haven't tried to assemble a list of all legit mail servers, though, as
I've yet to see a definition of "legit" I can sit comfortably with. Some
days, the line is drawn here, and others, it's drawn there. So, instead,
I just keep track of those I'd like to block but can't, for whatever
reason; those I block selectively; I whitelist a few more, and suffer.