Dealing with repeated spammers / accounts

How do you deal with repeated account compromises that send spam?

We have a huge problem with the passwords of users' e-mail accounts, which are vulnerable to IP addresses around the world and used to send spam.

Usually we just change the password in the email account and write the user. Recently, however, there have been multiple email accounts for these accounts that are at risk or the same email account has been compromised time and again.

Mostly the problem is an extremely weak or insecure password. In other cases, I suspect that the user has malware installed on their computer (and does not know what else is going on with their computer) or checks the account over insecure networks.

If it happens over and over again, sometimes we will proactively change the passwords of all of the account's email accounts or lock the account at other times. But apparently people do not like it – and they would as well outsource their hosting to a company that either knows no compromise issues or to a web hosting company that does not care about sending spam repeatedly.

I begin to believe that I lose the hard battle. I think it might be easier to let the spammers run rampant. And then, when people complain that they can not send mail for blacklisting, I simply tell them "hard%? $ #!".

I mean, is that what everyone else is doing?

Sorry, I did too much the weekend and this week and had to get into my soapbox a bit.