I would recommend putting in place a throttling and alert mechanism so that when the outgoing emails exceed > a certain threshold the server limits the outgoing SMTP for the particular account and alerts the admin. I have never been a fan of outright filtering of outbound emails as these normally lead to a higher rate of false positives.
Cheers -Matt From: Message Sniffer Community [mailto:snif...@sortmonster.com] On Behalf Of Kaj Søndergaard Laursen Sent: Sunday, February 21, 2010 7:10 PM To: Message Sniffer Community Subject: [sniffer] Outgoing spam filtering Hi I have now twice had users who are sending spam. One of them I am very certain must be a phishing victim a connection from an IP in Nigeria at the same time the users was connected from her home DSL. We are using Microsoft Exchange and sending through a Microsoft SMTP server on the DMZ. We do not have any spam-filtering on-premise at the moment. Only inbound smtp is filtered by our colleagues in another part of the organization (we are part of a university). So Im just asking on this list because I know that there is a lot of experts on this list (and I used sniffer when I ran the spam-filtering myself). I talked with the support at one of the bigger Danish spam-filtering providers that were listing all our mail as spam. The only recommendation they could give was to change the IP-address that I was using to send mail. That wont help the receivers of the spam much J So can you recommend anything to stop outbound spam? Should I just run it through a spam-filter like I do with inbound, or is there a better solution? Venlig hilsen Kaj Laursen IT-chef Telefonnr.: 9629 6229 _____ Aarhus Universitet, Handels- og IngeniørHøjskolen | Birk Centerpark 15 | 7400 Herning 97 20 83 11 | <mailto:i...@hih.au.dk> i...@hih.au.dk | <http://www.hih.au.dk/> www.hih.au.dk _____