Solution A) I have a sciptblocker that prevents new/unapproved users from using webmail and other scripts.
Problem: over time, the above allows user into webmail or after a verbal conversation with client I allow them in. ...and of course, they conned me and start spamming.
If you're experiencing the second problem, please let me know if you've found a solution.
Solution B) I've been working on a daemon that will monitor the last X users to see if they BCC or CC more than Y emails out via webmail. When they do, it locks up webmail until I manually allow it. (Once installed, the ability to edit a text file via SSH Required)
If there's some interest in this script, I'll make it available. Otherwise, I'll just use in internally. It is currently in Alpha testing.
