I cannot think I am the only one experiencing this problem and hope to find some suggestions to help mitigate it.

Earlier in December a SPAM email was delivered to large groups of people in our domain. The SPAM had a simple statement that 'we' were doing webmail maintenance and to click here. The click here took them to a site hosted on a free service that displayed a webmail login page that looked almost exactly the same as ours. Side by side only a few slight differences existed. As users entered their login and password they were taken to a "thank you" page. At that point a remote person has access to multiple webmail accounts.

The person with this information now has access to an unknown amount of accounts. They are using these accounts periodically to send mass SPAM messages to other domains.

We identify the problem when our Deferred Mail queue starts getting overloaded. I quickly see the account in question is sending SPAM.

Here is my problem. I am fighting this reactively after the account is used. We have setup a few jobs to search for changed Signature lines and forwarding addresses. Once the hacker changes the signature line of an account we are notified and lock the account.
We have requested all students change their password, but hard to get the message out to 10,000 people via email they do not all use regularly. We are aging out our passwords so they expire and are forced to change next week.

My real question is how to avoid this to begin with. Our spam filters (two systems) do not filter out all the spam. The crap that gets through sometimes is very distructive like my problem above. What tools or processes can we implement to catch this problem in the future. Anybody with external webmail access has to deal with this. Anybody can give their access to webmail away.

Thanks for any feedback,