Found this useful tip from the latest issue of Exchange & Outlook Administrator, and thought it will be good to have this information handy in case it happens in my organization.
by Paul Robichaux
1. Assign a default recipient policy that assigns an SMTP proxy address that would be invalid on the Internet.
2. Assign a secondary recipient policy that assigns the correct SMTP proxy address.
3. Apply the secondary recipient policy to those users or groups who need to be able to send mail to the Internet.
4. Configure your Exchange server system to use one bridgehead to send SMTP mail to the Internet.
5. On that bridgehead machine, use sender filtering on the SMTP virtual server to drop any email from senders whose addresses match the default recipient policy.
question: it doesn't say what we should do if the main server and bridgehead machine are on the same computer.