As others have mentioned, check the IP of the sending server. When I was running XWall, I was very aggressive about blocking C and sometimes B level subnets. There were patterns as to what IP blocks would send spam.
More than 2 spam from the same IP? Blocked. More than 10 from the same class C? Blocked. More than 5 class C subnets for a class B subnet? Class B blocked. Never had a problem a user not getting legitimate email.
As long as you have a decent reporting mechanism in place for users to retrieve false positives, you should be fine.