If your users are consistently getting their passwords stolen, then your users are idiots and you will need to do something like add a captcha to the webmail login page.
If it's the Nigerian gangs that have been attacking university web mail for about 12 months now, they are phishing your users with official looking notices that ask the user to send account and password. If so, captcha won't do it. I agree it's not exactly a Spamassassin problem. But chances are the outbound mail would score pretty high, and spam score could be used by some other filter as a trigger to stop the mail from going out. And of course a sudden increase in volume from a user could also trigger. Joseph Brennan Columbia University Information Technology
