At mySociety we use SpamAssassin and ClamAV to reject obvious spam and malware messages before they are accepted by our servers and ingested into Alaveteli. You'll need to make sure these are configured correctly and definitions are regularly updated to ensure these tools stay effective.
For any questionable message which get through to the Alaveteli's we host there are a number of configuration options we have to help limit and manage these.
One of which is the `RESTRICT_NEW_RESPONSES_ON_OLD_REQUESTS_AFTER_MONTHS` option so only email addresses matching the domain name of the authority can reply.
There is also the three `INCOMING_EMAIL_SPAM_*` options which we have configured in conjunction with SpamAssassin to inject a header into the incoming messages with a numeric
spam score. So these messages can be directed to the holding pen for manual review by an admin before being published on the site.
Also in the Alaveteli admin you can go to `/admin/spam_addresses` which allows you to manually specify email addresses to prevent some messages from entering the holding pen.
Hope this helps,