I'm seeing spammers bypass whitelists by appending a few characters to my own username and using it as their own.
Rule #1.. Never whitelist_from your own domain.. It doesn't work. Spammers always forge From: addresses and frequently forge your own domain as the sender.
whitelist_from contains absolutely no anti-forgery tactics. It's just a pure, simple "whitelist everything with this From: address, regardless of where it came from" type system, and is intended to be a last-ditch method to get a particular sender past SA when nothing else will work.
This isn't something that's going to be fixed in whitelist_from, except to the extent that it was already fixed in 2.40 by introducing whitelist_from_rcvd as a semi-secure replacement.
If you must whitelist your domain, use whitelist_from_rcvd, which also checks the Received: headers. Note you'll want to include two parameters when doing this, the second of which should be a reverse-dns machine name that will appear in mail you send, but not in mail coming from the outside.
i.e.: I could use: whitelist_from [EMAIL PROTECTED] tcp-6-249.evi-inc.com
