I remember quite some time ago hearing that spam mail on an infected internal system can use any port to send mail out. What I would like to setup is a set of firewall rules to only allow certain packets out through their correct ports, such as DNS ...