I understand what you mean by saying this problem is not clearly ISPC related. I though a global whitelist would be a solution and after reading your post it seems I'm wrong as I understand your point with faked email addresses.
The mails that got forwarded to me for further education told me this:
2.0 RCVD_IN_SORBS_DUL RBL: SORBS: sent directly from dynamic IP
[18.104.22.168 listed in dnsbl.sorbs.net]
1.7 RCVD_IN_NJABL_DUL RBL: NJABL: dialup sender did non-local SMTP
[22.214.171.124 listed in combined.njabl.org]
Obviously I cannot force our customers to get themselves a static ip address
My first guess is, that there has to be a way to say: "This mail got sent through SMTP on this machine and therefore it can be trusted (unless my SMTP is not secure, but then I am in admin hell anyway) regardless from which IP it got sent."
I concede this all may have to do with the fact I never before had to deal closely with spamassassin and therefore I am lacking some fundamental knowledge of its configuration. Consider me your apprentice