[SLL] Greylisting downsides: Solutions?

[Glenn Stone]

So I was just doing something on a major car-rental company's website, and I
said to myself, "That's gonna generate an email."  So I went into Postgrey's
whitelist, added what I *thought* should be the appropriate domain,
reloaded, hit SUBMIT, and.... nothing.  Checked /var/log/mail.log, there's
the attempt, but it HELOed as... who??  Turns out it was a host owned by
Postini, who is apparently handling Not Exactly's email for them.  (Hertz,
for what it's worth, whoever is running their email servers actually have
them HELO'ing as hertz.com.  Win!)  

Now, don't get me wrong.  I love postgrey; it narfs about 10% of my spam,
the truly annoying stuff that the common sense rules and RBL's don't get.
Some of it is smart enough to retry and get through, but a fair bit of it is
not.  What I'm wondering is, what should we have website owners do to
mitigate this?  I'm imagining that modifying the HELO message is gonna be a
pain.  It *makes sense* from a functional point of view; I mean, when I call
my doctor and he's out I don't get "Hello, Joe's Answering Service," but,
"Hello, this is the doctor's office."  But mapping domain-being-sent to HELO
would be tricky and non-standard and would probably involve IETF, and that's
just painful.  (SPF would be nice, but very few people, including said
rent-a-car company, implement it.)  

A lot of sites already say, "add this address to your address book," which
is really a way of saying, "Whitelist this address" for AOL and Hotmail
users.  (Fastmail will do that too, *if you tell it to*.  </shameless_plug>)
Is this the way to go, social-engineer it?  

I just want to know what to tell Postfix/Postgrey to expect, so I can get
the email I want, when I want it, but still tell the spammers to can it.
(And I'd really rather not whitelist a domain by sender, because a lot of
places, like, say, banks, get spoofed so often it's not funny.)

-- Glenn, opening a can of worms