Short-term solutions can be worse because you don't have time to warn people, and the results are often slap-dash.
For example, to do as you propose:
- I'd have to block all direct outbound SMTP connections, just to keep people from circumventing the protections. I'd *love* to do this, seriously. But you wouldn't believe the hostility from the user community for thinking about it, even if they don't *use* any off-site mail servers. Hell, right here on Slashdot, I'd be called a jack-booted brainless wannabe-IT-thug for implementing anything like that.
- Our internal mail hubs would have to route all outward-bound email via our AV appliances, or we'd have to change our setup so that the AV appliances *are* our internal hubs (which would break smtp-auth). Not that difficult, actually... I have most of those rules set up already from the last time I looked at this.
- Based on the score assigned by the AVs, I'd have to quarantine or pass the email. The AVs, by the way, are McAfee appliances that (internally) use Spamassassin, just in case you were wondering.
To implement the punishment system you describe, I'd have to associate each quarantined email with the sending user... which is where things get difficult. If I'm going to (automatically!) trace an email to, say, a virused laptop on the campus wireless, that means I need to get my fingers into the logs of the APs, or somehow query the APs themselves... which means my *mail server* needs to figure out which AP a person is on, which is at the very least an . Are they using the campus Horde/IMP server? (The Nigerian spam gangs *love* Horde/IMP, by the way... 50% of phished accounts are exploited via webmail....) Then the mail server needs to troll around to figure out who was on a given webmail session.
All of this would be a lot easier if we forced people to use smtp-auth, even on-campus, and again, I would *love* to do that. But the backlash of suddenly demanding that would be really bad. You can't ask users to jump through a new hoop unless they think they're getting something new out of it... you need a carrot to match the stick. I mentioned that we're switching to Office 365... that will definitely require authenticated SMTP (possibly MAPI, ugh). But the new system is a carrot as well as a stick. As far as the users are concerned, turning on smtp-auth is just part of the setup process for their new toy, and it's a lot easier to sell.
You also have to decide little things, like: does a "potential" spam, sent once but CC'd to a dozen people, count as a single email or a dozen? How do you verify quarantined emails and stay on the right side of privacy law? As a sysadmin, I don't want to read your emails any more than you want me doing so. How do you make exceptions for people like pharmaceutical researchers, who probably send very "pill-pusher"-looking email to each *other* as normal business?
How do you build all this, as a short-term solution, scale it up to 0.25 to 0.5 million emails per day - without spending *any* money - and implement it *without* horribly breaking everything that already exists? Keep in mind you're talking about a user community numbering in the tens of thousands, and if an email doesn't arrive as fast as an instant message they're already on the phone to the help desk asking why "mail is so broken".
And, assuming you build this hair-trigger anti-spam system... after a number of people have been victimized by false positives, how do you keep your users from saying "Fuck you, I'm using Gmail"? To a certain extent, they're doing this already... and then they're storing research and email and patient data waaaay out of our hands. The hacking and phishing still goes on, but we can't do anything about it.
You can make it corporate/university policy that they're not *allowed* to do so, but then the users feel like they're trapped in IT-North Korea, a horrible system they're not allowed to escape from, but are told constantly it's for the best.
Picture taking every Slashdot user and telling them they're only allowed to run Outlook on Windows 8... that's the kind of hostility I'm talking about.
Basically, you're damned if you do, damned if you don't. But people react so much better if they feel like they've been shut down by a *person* rather than some unthinking, uncaring machine, even at the cost of a thousand spams going out rather than none. At least, as a person, I can spin it so that the user believes I was protecting them - and I am.