A quick grep shows: 4.000000/updates_spamassassin_org/60_welcomelist_auth.cf:def_welcomelist_auth *@*.dropbox.com
so the code is operating as designed. It seems that either dropbox is compromised, or dropbox is allowing user-generated content to go out under their domain. Either way it seems they should be removed from USER_IN_DEF_SPF_WL, unless this is a blip and they fix it right away. Have you written to ab...@dropbox.com, and what did they say?
