My suggestion would be to use a unique alias for each website/company. This way, if you start receiving spam at that address, you know who leaked it, and can simply delete the alias. You should also then publicly name and shame the source of spam.

I also run SpamAssassin on my server, but I don't believe it ever had to do anything.