Force all SMTP outbound connections from users thru a SMTP proxy. On that proxy, force users to do SMTP Authentication; I've heard only once of a spam code that will use the user's configuration info or dispatch e-mail thru them. Even if they do, you can rate-limit messages/hour, unique mail to/hour, disable mail service after a threshold, whatever sounds a good policy to you.

This is the most sensible message I've read about SPAM in a long time. And it is even highly relevant to network operators who service end users. Now if only we could come up with something similar for ISP server-to-server mail transfers then we might actually reduce SPAM to a dull roar receding into the distance. --Michael Dillon