The spamming is usually done (but not only) from an Internet cafe where the spammer inserts a "spammer CD" and blasts away at open mail relays. When SMTP is blocked for that IP
outbound SMTP should be blocked for any dynamic or dialup source within a network. a rule of thumb might be that if nat or dhcp is involved, then you should be firewalling outbound smtp. likewise for an internet cafe: these are untrusted edges and the only things they should be able to reach are either (a) other parts of the untrusted edge, or (b) a place where they can authenticate themselves in order to reach further.
..., they switch to HTTP and send the spam via MSN, Yahoo, Hotmail, Kukamail, Outblaze, Safe-mail, etc. to name just a few. Blocking port 80 is harder since it requires maintaining an ever larger list of free public web based mail systems or just block port 80 entirely.
per-destination host AND port egress rate shaping. if someone tries to send more than 1Kbit/sec to all port 80's, or more than 1Kbit/sec to any single IP address, then you can safely RED their overage. this violates the whole peer-to-peer model but there's no help for that in the short term. if some internet cafe has a CuCme camera setup then you can find a way to let that traffic off-net without rate shaping. this will be the exception. -- Paul Vixie