Here are the University, we are victims of phishing attacks geared at getting our users' account information so that the phishers can then use the credentials to launch spam attacks using our servers. The often leads to our domain getting on blacklists.

A bit ago, I stumbled across something called Mimedefang. Mimedefang works with the Sendmail Milter API. Using this and with some help from the IT department at Carnegie Mellon University, I was able to put together something to trap when one of our accounts gets compromised. The way I do this is by blocking senders that issue more than 5000 rcpt to commands in an hour.

The attached script is a little lacking on comments, but, this is what I have in production (minus environment specifics). As with everything on this site, this script is provided as is and carries no warranty. Please implement at your own risk.