[overbroad]

You're making assumptions. About how things would work and about users and what they can and cannot do. Typical online discussion. Lots and lots of assumptions.

I do not understand your last sentence. Didn't he say his ISP is blocking outgoing mail? The recipients are powerless to unilaterally change that situation.

Think about this for a moment. Forget the corporate example. Imagine one user has a daemon listening for mail (no setup, it's all been set up for him:- it's "built-in" to his OS). Imagine there is an authentication method e.g. a shared secret and perhaps even some obfuscation like port knocking to hide the open port. Even assuming a determined spammer can get past this, is it worth his time? He will reach a grand total of one user.

We can even use a small overlay, where the IP addresses are private, not routable on the internet. The spammer needs to get into the overlay network first, again defeating things like shared secrets or perhaps private keys to identify machines before he can even get a shot a access to a listening mail daemon. That's not easy to do if the users stay logged in. And again, if the network is small, with a few hundred users or less, maybe only a handful, is it worth his time?