You have to let users forward their email because this is functionality they expect. The trick is to spam scan all email first, otherwise as Alexander has said, you end up on RBL's.
Its actually a lot harder than this. Most default installations I've seen don't take into account Return-Path notifications (i.e. passing these notifications upstream to the origin),
What is a "default installation"?
I have a good working knowledge of all the software I have deployed in my and my clients mail servers and I have spent a considerable amount of time over the years furthering my understanding and perfecting my configs.
If, by "default installation", you mean take a piece of software off the shelf and follow a quick and dirty howto guide without any understanding of what the options mean, then of course under these situations people are going to run into issues.