Well, thats part of the problem.... I'm not worried about the BES users since they already get their work email on the device. My real concern are people with their personal BB's getting enough of a clue to add their work email that way. Once this happens, I lose control of the email and it's subsequent replies.

I guess I could enable logging in IIS to start figuring out where the requests are coming from (BIS servers) and start dropping traffic to/from those addresses at the edge of the network, but there may be too many to make this effective.