A couple of questions,
1) Is it common for mail filters to only filter external-to-interal mail traffic? Or do you use something that filters internal-to-internal and internal-to-external traffic too?
2) Is there anything built into Exchange by default (2003) to audit potential misuse, or do you need a 3rd party tool
3) Are there any specific "triggers" you can think of for internal-to-internal traffic to help an admin identify potential misuse, i.e. a top 3 triggers you would use? There needs to be some sort of alert type feature when a user triggers these potential misuse watermarks.