Hi Kim,
Whilst this is a fairly easy problem to address with Brightmail Gateway, it's a little different with Brightmail Message Filter (formerly SBAS) because we aren't controling or modifying the outbound mail (except in the case of outbound AS/AV). In order to confidently protect against FPs whilst blocking backscatter, your MTA infrastructure needs to provide verification that it the undeliverable message came from your environment in the first place. The way that is generally done is to add a header to each outbound message with an encrypted hash value that is tied to a private key only your MTA knows.
So, which MTA do you use with your deployment of Brightmail Message Filter?
I ask because MTAs such as postfix and, i think sendmail, have plugins for things like BATV already.
HTH
--ian