Blocking just hides it. I used to believe in port blocking as the solution to many user problems but now I have 3 and 4 page ACL's on my border routers. This does not scale. Yes, I could push this out via radius to the NAS but again this does not solve the problem.
The solution I am working toward is quickly identifying user infections. We are almost there. I collect and record all traffic from the users going to dark space and am almost finished with the system that will identify who held that IP at a specific time. It is all in SQL so that is easy.
Our system is similar, except we block port 25 completely via RADIUS after we detect an outgoing virus or spam, then notify the customer. This eliminates the ACL's on the border routers. The user can still surf freely to download patches while not causing further damage. Some users just don't want to be bothered and just use webmail to send E-mail and keep the block forever.