Jus in case this is of interest to anyone, we had a security breach recently where a remote mailserver was accessible through port 25 from the internet and was happily relaying spam through our Ironports which are set to trust internal machines. We got ourselves listed on some blocklists. From this, I discussed with Ironport what our options were in terms of monitoring trends and alerting on sudden spikes. Very simple. None.
As I have Solarwinds NPM installed, I figured I could use that as it has all the features for this that I require. Problem is, Ironport doesn't have snmp counters readily available to report (through snmp) the amount of hourly emails going out. The GUI shows it, but that's a separate engine that parses the logs. There's a cli command to display the rate messages come in and out, but it is again not available through snmp.
Eventually I went for monitoring tcp connections, as the Ironport GUI reporting showed a massive spike in outgoing tcp connections (as you would expect when 900,000 emails are send out in 2 days where normally we'd send maybe 10,000). Solarwinds can graph this polling OID 18.104.22.168.22.214.171.124 "The number of TCP connections for which the current state is either ESTABLISHED or CLOSE-WAIT". All I have to do now is wait a few weeks to get a baseline to set my alert.
Hope this helps someone!