If the provider on which one is guesting has a policy to block outbound access from their network to all ports used for sending of mail, so that they can force one through their SMTP server for sake of control, micromanagement, or whatever, then (assuming they know about it), would they not then block official port 587 as well as port 25? That was the position I heard the 'customer service rep' take the last time I tried to solve such a problem through appeal to bureaucratic sensibility.
What I'm going to say is not new, but I guess we have a lot of trouble with SMTP because the same port is used as well for the communication between 2 MTAs as for between a MUA and a MTA. I don't know about any provider that doesn't require smtp auth on port 587. ISPs should block outgoing connections to port 25 unless they know the source is a SMTP MTA. I guess this would mitigate a lot of zombies as it would force them to use the provider's smtp server (which does outbound spam/virus filtering and ISPs can easily identify their own customers). Alternatively the zombie would use a remote port 587 but it would require authentication so again the identification of the "owned" machine / user would be possible.
Jean-Pierre