To address this i have proposed installing filters that will only allow these folks to connect to port 25 of the ISP that has bought the ports. This way they are not able to relay off of anyone elses machine
The problem is for companies like ours that live by selling mail acounts to users of other ISPs. They need POP and SMTP access to our mail servers, from whereever they are calling. We are running sendmail v8.9.1 with all the anti-relay stuff and RBL besides. The problem you have is the same one we have for secured SMTP, maybe easier. How do you tell the site is secure? In this case testing for open relays is well known.
What I really suggest, and this takes some work on your part, is to contact the site's admin and inform them of their open-relay status. If they won't close the relay, block them. Alternatively, you can assume that if they haven't gotten their relays closed by now they are too clue-less to do so and block them immediately, with notification.
The problem is when the spam-bastard isn't relaying. We've been getting thousands of messages every week from spammers who buy dialup from various places, then connect directly to the destination mail server to deliver the mail. That's what this prevents. I don't know of any other method that does. An interesting answer to the problem you discussed above was suggested by somebody from the EFF at a spam BOF at USENIX this summer. He suggested that by default, you filter on port 25. But if somebody needs access for legitimate reasons, or even if they don't, have a letter they can fill out, sign, and send in which states that they will not send spam, subject to a $500/message penalty. Then if they do, just bill them. An alternative for you would be to run a mail server on a different port... -------Scott.