Luckily we have yet to be bitten by a phisher setting up a clone of our centralized login page, but I'm sure it's just a matter of time.
On our old Webmail system, it had access to the user's password (because it used POP to grab their mail) and so I was able to scan users' outbound mail *before* it was sent to make sure no password was present. It logged any attempt to send a password and we usually got several hits per week.
Now that our students are on Zimbra, that particular checker is gone and the number of compromised accounts has shot up (several each week).
So I'm currently working on an outbound rate-limiting Milter (Sendmail/Postfix plugin) that will prevent anyone from sending to more than 1000 recipients per day. By skipping single-recipient messages and local recipients, I expect to be able to really minimize the false-positives. Any attempt to exceed the limit will silently quarantine the message and notify me. This won't prevent the account from getting compromised, but at least it'll minimize the collateral damage.
(one of our mailservers is still blocked from Hotmail right now because of a compromised account a couple of weeks ago)
Simon Fraser University