Not "nearly impossible." I work daily with people who run servers
exactly like that, yet spam of all sorts is spewing from their mail
queues. Most of the ones I see are SMTP accounts with weak passwords.
The spammers authenticate as the users and bam, the server is a spam source.
With Exim this can be substantially limited with a ratelimit.
http://www.exim.org/exim-html-current/doc/html/spec_html/ch40.html#SECTratelimiting
I use something like this.
warn ratelimit = 200 / 1h / per_rcpt / strict
delay = 10s
log_message = Sender $sender_address rate $sender_rate /
$sender_rate_period excedes limit delayed 10 seconds
It does not work as well when using webmail since messages all appear
to come from 127.0.0.1. I did find a plugin for Squirrelmail that
limits max recipients and messages sent per day and per account which
works well though.
Unfortunately, in my environment it's mostly Linux boxes running Plesk,
which uses Qmail as its MTA. Since users can set their own passwords,
you end up with lousy passwords like "password" or "12345". The only
password restrictions are dictionary checks, which don't do much to
prevent stupidity.
