OK. Make it 100, or make it "20 by default, user can ask for 100". Or anything else like that. The *POINT* was that too often, a compromised end-user machine can send *THOUSANDS* of messages. Not tens. Not hundreds. Thousands.
Here's another way to structure this sort of policy using a "soft" limit which would also make it feasible to have a limit lower than 20. If any of your user connections is the origin of more than 5 SMTP sessions in a single day, send an email to the registered contact at that site with a little statistical summary of the activity. No blocking of sessions, just a note saying that we noticed you sent x number of emails today. Give the user some action such as a URL that they can do if they believe that this is abnormal. Then you could make the hard limit for blocking sessions into a larger number such as 50 which is extremely unlikely to block anyone's real email. Of course, anyone running a mailing list would still have to register that fact with you so that you can remove the hard limit on them. --Michael Dillon