Jeff,
I know you, and many others here, hate Challenge Response / Whitelisting, but I have to say for me it has worked great for years. Filters and SA block legit mail and allow some garbage through. C/R does not do that except in a blue moon when a spammer falsely sticks in a legit from address with an auto-response activated (for BoxTrapper which does not use a CAPTCHA webpage, but just a "reply to this message" approach).
I have a cPanel server with BoxTrapper and a DA server. I MUCH prefer DA overall, but cannot move all my domains over due to the BoxTrapper reliance for some address I, and my clients, get slammed with spam on and must have some form of C/R. I wish DA had a solution as such.
I have to disagree with you that it turns me into a spammer, because 90% of the time, spammers use bogus "from" / "reply to" email address and the mail will die after a few failure attempts at delivery (thus the greylisting idea). Do some spammers stick some poor unsuspecting users "from" address in there sometimes, yes. And that is a flaw, agreed. But I don't think it makes me the spammer? It is just like a doorbell on a house with a locked door. Who are you at my door? A salesman? go away... If a few people say, I did not knock on your door, that is a small casualty of something we all abhor.
However, one element of whitelisting that is vital is an auto whitelist of outgoing addresses. If I send a mail to someone (To, CC or BCC) it MUST add those addresses to the whitelist. Otherwise, as Floyd stated, it is entirely rude to send a reply to someone and then have to answer a C/R.
I wish and hope DA would implement a blacklist that just blackholes the mail on the blacklist, a whitelist that everything gets through on the list, an auto whitelist for outgoing mails, and then
either a greylist as described in this thread (if you are firmly opposed to C/R), or a C/R with a CATCHA web page.
Make it all optional on a PER ADDRESS basis so I, and my users, can configure their own settings.
And if someone sends me a message that I have never emailed, and they do not want to whitelist themselves, I can always release their email from the holding bin. (and adding this feature to the greylist functionality would allow those "got to get this mail NOW" through if the recipient goes to the web interface to check the queue.)
Adding a configuration to a greylisting feature that says release on attempt 2,3, or 4, would allow you to increase the number of tries needed to resend if a spammers starts resending emails to try and defeat the greylist...
Anyway, just my thoughts. I love Challenge Response, because it keeps my inbox clear, and I can always check my queue. But I agree autowhitelisting MUST be included...
I just widh DA had either greylisting or C/R, with the other features (queue checking, auto whitelisting, etc)
As far as my IP being listed as spam, it has not happened in the years I have used C/R...
For guidelines on how to best deploy C/R to overcome hurdles, from the wikipedia site,
http://www.templetons.com/brad/spam/challengeresponse.html