I'm looking for comments on whether this is generally seen as a
positive change or a waste
of time (ie - will the next virus or worm gleam your SMTP username and
Outlook Express and use it to replicate/SPAM)?
We are planning on moving the same way. Without a doubt, a new virus or
worm will emerge that will steal the SMTP-AUTH from the config file (or
more likely, ALL the new variants will steal the SMTP-AUTH info). But,
with SMTP-AUTH you can limit the number of connections and outbound
emails, which is the real reason we are doing it.
Also since some of the new variants are smart enough to bundle in a SMTP
server, or use the local service in XP, we have taken to blocking emails
from clearly marked residential high speed subnets (reverse DNS) in
other providers space. Maybe its time there is some proposed rfc like
device for this?