we have the problem that infected customers start over again to send spam. This happens about 1x per month. We have about 500 Customers in our Network.
We use this script to detect the infected users, and it works perfectly:
http://wiki.mikrotik.com/wiki/How_to_au ... MTP_output
It is possible that we block all smtp traffic on our gateway nat routers, and only allow say 10 ips of known mail servers?