Hello Douglas,
I suggest configuring a SmarterMail inbound gateway to do your spam filtering. The gateway will not know if the address is a user or a list, so your scoring formula will be applied uniformly. Whatever rules are implemented successfully in the outbound gateway should be easily replicated in the inbound gateway.
As far as I know, how the SmarterMail in inbound gateway mode operates, it does the work of scoring the mail and then pass it along with the spam score to the backend SmarterMail server.
It's the backend server that decides then what to do with the mail, according to the score and the system/domain/user spam rules (delete, move to junk, tag, etc).
The issue is that when it is a mailing list target, no blocking action is applied on spammy incoming mails. It's processed and forwarded to the list subscribers.
So any mailing list (especiall those allowing anyone to post) is quickly becoming a source of SPAM.
To avoid this, a mailing list target address should be considered like a mailbox receiving a mail and take into account the spam score, then decide wether to forward the mail to the mailing list (if clean), generate a bounce or delete it.
external mail -> mailing list -> spam evaluation (good yeah!-> forward to subscribers
external mail -> mailing list -> spam evaluation (crap) -> bounce
or
external mail -> mailing list -> spam evaluation (crap) -> delete
This could be configurable per mailing list as we can do it per normail mailbox:
Looks to me(I can be wrong of course) everything is already existing in the product to apply such a SPAM processing on mailing lists.
Also the lack of SPAM processing on the mailing list brings to front another huge problem: List subscribers being unsubscribed due to bounces.
When a SPAM is relayed by the mailing and forwarded to subscribers (external), the remote servers will probably bounce them right on SMTP session (after DATA) as they will be detected as SPAM by the remote end.
This then increases the bounce count for almost EVERY subscribers of the list and by default this setting is set to 2 (I think it's a value only configurable per domain and I didn't find a default value to set and propagate to existing domains)
So by default when a list relays spam that is rejected by most destination servers, after 2, a mailing list can be entirely wiped due to these bounces.
What is even more fun, is that when this happens, there is no way as far as I know, in the mailing list management panels, to know which subscribers has been unsubscribed due to bouces. They just disappear from the lists.
Here there should be a panel in the mailing list admin, where you can review the unsubscribed members along with the date it was removed and the reason (unsubscribed manually or bounces) and optimally in case of bounce, the ability to view the received bounce (but that's the cherry on the cake).
Also you could select some of the unsubscribed members in that list and press a button to re-subscribe them.
In the current state, the lack of SPAM handling and a view on who was removed and why, the mailing list feature is a pain to administrate.
I guess without that much effort it could be enhanced, at least on the SPAM handling side.
Of course the "Allow anyone to post" is worst situation for a mailing list for getting SPAMMED, but we also saw "Allow only subscribers to post" and "Allow only moderators to post" mailing list getting abused only with spoofed "From" address mails sent to the mailing list.
As a side information, we already have front filters (not based on SmarterMail), that scores the mails and populate an header that is then used to evaluate custom spam rules in SM, it works very well for mailboxes but is ignored for mailing lists.
We directly reject mails on the front filters, when they hit relatively high scores. But still for low to med scoring, we allow the mail and forward it to SmarterMail with the scoring so it's up to the end user to decide what to do with them (if they don't follow the defaults we set).
The mailing list admins should also be able to decide what to do with mails adressed to their mailing list depending on how they scored in the spam checks. Keeping in mind that letting too much spam going through their list will see their members being kicked due to bounces.
We also use an outgoing gateway, where we added some logic like, is it an outgoing mail from SM mailing list, or a forward, or an alias that points to external recipients and evaluate if it looks like an outgoing spam and bounce/drop them silently depending on the scoring.
This to keep an high deliverability score (90-100 on senderscore, avoid getting our IPs on blacklist etc).
All this is tricky though :)