I want to whitelist everyone at my site. How do I do that?

If you simply use 'whitelist_from', this is quite trivial for spammers to exploit, as it simply examines the From: headers of the mail.

One way is to use 'whitelist_from_rcvd', which requires a hostname appear in the headers as well.

Or, for defense in depth, another way is to examine the Received: headers of locally-originating mail, identify a pattern than will work, then create a local rule for this.

For example, if every local mail passes through your mailserver with a Received line like this:

  Received: from phobos.labs.example.com (phobos.labs.example.com
         [192.168.2.14]) by mandark.labs.example.com (8.11.6/8.11.6)
         with ESMTP id g7CCUQp30306 for <someaddr@example.com>;
         Mon, 12 Aug 2002 13:30:26 +0100

Then you can construct a rule like so:

  header LOCAL_RCVD   Received =~ /from \S+\.example\.com\s+\(\S+\.example\.com\s+\[192\.168\..*\s+by\s+mandark\.labs\.example\.com/
  describe LOCAL_RCVD Received from a local machine
  score LOCAL_RCVD   -50

and that will subtract 50 points from the score for each local mail.

Note that dots, brackets, and other non-alphanumeric characters need protection with a backslash; and that whitespace should be represented using \s+ instead of spaces in case the text is broken onto multiple lines.

If many sites do this, and create their own independent rules, the spammers will have to anticipate each one – which is not so easy to forge