Hi Nate,
Please enable filtering on forwarded only addresses. My domain is my family name. Some of us in the family (myself included) would use DreamHost mailboxes and some would use forwarding. Currently I set my MX to another hosting company to manage our e-mail because they have this feature (they use www.nspasm.org's filter which I love).
What to do with spam to forwarded addresses? From my use of Spasm (www.nspasm.org), I'd say in order of importance:
1) Administrator choice if forwarded mail is filtered or not.
2) Per address configuration of what to do (for the domain admin): disable filtering for that address, reject spam to that address, tag spam to that address, etc.
3) Log everything rejected or tagged. Log the date, sender, recipient, filter which caught the spam, and disposition (tagged or rejected). Provide a web interface for the admin to view and clear the log. Be able to enable or disable logging. (This log aids tuning of filter settings.)
4) Per address configuration to log or not.
5) A domain wide quarantine feature. On a per address basis, rejected spam can be quarantined and selectively delivered by the administrator. Admin can clear the quarantine. It is auto-emptied over time.
I don't know if you are considering these options also (again in order of preference.)
1) Configuration of detailed filter options by the domain administrator.
2) Configuration of the detailed options on a per address basis.
Like I mentioned above my old host uses Spasm (www.nspasm.org). This is a very nice milter for domain hosting and I have grown very dependent on its feature set. It gives great control on an individual address basis of a multitide of filter settings, logging, and quarantine. I love this filter because I have been able to tune it to catch 99% of spam with no (knock on wood) false positives in 4 months. You might take a look. It has a decent web control panel too.
Erik