Log and monitor all that you can. And watch for a large number of IPs logging into an account over a day (over a set limit - even across country - that takes into account "home - blackberry - airport lounge - airport lounge in another country - hotel - RIPE meeting venue" type scenarios). And especially watch for and/or firewall off logins from areas from where you see particularly high levels of smtp auth abuse / logins to compromised accounts --srs 2010/4/21 Alex Kamiru <nderitualex@gmail.com>:
Inside customers, we have not changed to force port 587 and authentication for email clients, but the topic has come up in discussions. This won't of course, stop spammers if they are hijacking the users local email client settings.
How best would you stop spammers hijacking local users email clients
-Mike