Safety first! Right?

I've been checking around some other anti-spam solutions and one of the selling points that they mention is that they do end-user whitelisting.  This is supposedly a selling point of the product - that the users can do individual whitelisting.  It's not the admins who only have the power, it is the users themselves.  By whitelisting, I mean that a user can say "Do not apply spam filtering to this user, or any mail from this domain."  Note that whitelisting applies to spam filtering, but not to virus filtering (but we can create spam rules that apply to viruses if we so choose).

This reminds me of an episode of the Simpsons.  Mr. Burns and his assistant Smithers are going into a high security area.  They both put their eyes into a retinal scanner, both have keys to unlock a series of huge blast doors and there is a ton of security that they have to go through.  When they finally get to the end of the tunnel of doors, there is a stray dog there who has walked in through an open screen door.  Burns replies "Oh, for heavens sake!" and kicks the dog, and it scrambles out of the room.  It is a very funny scene.

The joke is that Mr. Burns has all this massive security built up but it's all for nothing because they have a wide-open backdoor through which anyone can waltz in and access the secret area.  What's the point of having the security if you don't actually secure anything?

I tend to view end-user whitelisting the same way.  I can see if an admin wants to whitelist a particular end-user and domain.  The sysadmin needs the power to do that, but the decision to do that is centralized.  If end-users can whitelist whoever they want, I think that represents a security breach similar to Mr. Burns leaving the back door open.  Sysadmins know about network security (or at least they should), users do not.  Better to have the person who is in charge of security making the network security decisions than Joe in accounting wanting to get his X-rated newsletter.

As a spam analyst, I came to the position that if there is a weakness in your product, given enough users it will be discovered.  I can't count how many spam rules I've written or seen written that should have never hit legitimate messages hit a legitimate message.  For example, let's say we block a porn site only to have a law firm refer to it in a case and report that message as a false positive.  That porn site should never occur in legitimate messages, right?  It turns out that assumption was wrong.

My rule of thumb is that any security product you implement will have holes, so you should have backup systems in place in the event that weakness is found.  In my own personal view, allowing end-users to do their own whitelisting represents an exploitable weakness, and mark my words, it's only a matter of time before that weakness is exploited.  It's kind of like having a smoke alarm in every room in your house except the kitchen.

This should never cause a problem, right?  The odds are that it will be exploited are small.  However, given enough numbers, it's only a matter of time before something bad happens.  What happens if a virus breaks out and spoofs the whitelisted domain and dumps out the spam?  Some users are using our anti-spam solution, some are not.  Some users will get nailed with spam, others will not.  Some spam may be virus infected or link to an executable.  What happens then?

What do you all think?  Am I making much ado about nothing?  Or am I right to think that the risk of this feature exceeds the reward?