If you allow outgoing connections to port 25 it can be very difficult to track. We only allow select users (root, mailnull, mailman) to actually connect out using iptables and then our users all use the local exim server to send mail.
Exim logs all the mail it sends to mysql (not full messages, just who it was sent to, and what user sent it) so once all the mail goes through your smtp it's easy to track who's using what. I usually run:
select user,count(*) as cnt from eximstats.sends group by user order by cnt desc limit 20;
in mysql as root to get a list of the top 20 senders. The spammers are usually pretty obvious in the list (at least 10 times as many emails as the legitimate users).
Spam blocking uses several ways to determine if a message is probably spam.
1.It looks for an email with a sender address that isn't legitimate and it looks for keywords (sexual terms, financial promises, and so on).
2. It compares words in the email with the common frequency of words in normal communication. It looks for other clues like messages with very little original content and a lot of forwarded or replied content.
3.Every time the spam blockers get more sophisticated (like blocking
keywords), so do the spammers (like substituting misspelled words or non-alphabet characters to try to fool keyword rules), then the rules get more sophisticated (like using common word frequencies to eliminate message messages with a lot of words like s*x or phrases like "nat:ural p:ll" that don't occur frequently in real text or common misspellings).
4. It's a never ending cycle and spammers have the edge most of the time.
Any blocking system that can be written can be circumvented.