I read the same thing this morning. I believe that egress filtering is a waste of time.

The idea is to permit only packets from trusted hosts to leave your network? Certainly this can only be a voluntary thing, No way could this be enforced on a global scale.

Training is where I focus my energy when it comes to security.

As for the leaper colonies? Again too much time and energy. Just kick the offending PC off the network don't allow any more traffic from the offending nic.

Do this two or three times, and word gets around quick that there's a Bastard SysAdmin playing Bing Brother.

I know this is harsh, but should I / We as administrators spend all our free time coming up with new rules, mucking about with iptables / routers / insert favorite firewall because of stupid users?

Stupid users are a fact of life on the network. I believe if the user remains stupid because I don't properly train them - my fault. After training - I give each user three strikes per issue; No ACCESS FOR YOU!

/end rant