1.) Do NOT put your domain(s) in the white list.
It is a very popular way for spammers to get mail through to users by spoofing the from address to be the same address or domain name they are sending spam to. If you have any of your local domains or email addresses on the whitelist you should strongly consider removing them and correcting whatever spam filter is causing the false positives instead.
2.) Weak user passwords cause compromised accounts
Spammers will repeatedly connect to your mail server and try to crack user accounts and passwords. This is referred to as a "Dictionary Attack". If a user has a simple password (examples: password, abc123, password being the same as the username, etc) the spammer then has full access to relay mail through your server to the outside world.
There are a number of ways to prevent this from occurring:
Password Strength Requirements - IMail 11.5 now offers Password Strength settings at the domain level. If running IMail 11.5, open the IMail Administrator and browse to the Domain Properties page. Under "User Login Attempts" set the password strength to the desired setting and click Apply. In IMail 11.5, this will force a change of password the next time a user logs into webmail. Please note that in IMail versions 10.0 through version 11.03, this option will not apply to existing email accounts and will not prompt your users to change their password. After changing the password strength requirement, it is recommended that you email all users instructing them how to log into web messaging and change their password. You can easily send email to everyone on the server using MailAll.exe
Password Expiration - Starting in version 12, you can set password expiration for your users. This gives you greater flexibility with enforcing your password policy.
Account Harvesting Prevention - In IMail 11.5, you can enable Harvesting Prevention in POP3 and IMAP4. This new feature will add the spammer's IP address into the Control Access List after the configured number of failed logins when they are attempting to crack user accounts and passwords. POP3 and IMAP4 share the same registry settings for all Harvesting Prevention configurations. For more information, please see: Pop3 Settings NOTE: The Harvest Prevention feature is not available in previous versions of IMail.
Dictionary Attack Settings - SMTP has Dictionary attack settings which prevent spammers from repeatedly connecting and issuing RCPT TO commands to determine valid user accounts on your IMail domains. With this setting, you can limit how many invalid RCPT TO's a given IP can issue before being blocked. This will help prevent spammers from sending your local users spam email and also decrease the likelihood of Account Harvesting attempts.
Hacked Account Mail Regulator(HAMR) - Starting in version 12.2, IMail has the ability to monitor excessive logins and either throttle or disable accounts that authenticate too often. For more information, please see: HAMR Settings
3.) Make sure your 'Relay Mail For' setting is appropriate for your network
This setting is very powerful. If this is set to 'Relay For Anyone', you are basically a mail relay for anyone. Spammers will find and take advantage of this very quickly. Recommended setting is 'No Mail Relay' as it is the most secure. Please see: IMail Relay Options
4.) If your users authenticate from desktop mail clients, be sure the desktop machines have good Antivirus software running. Many times, viruses identify highjack email username/passwords from the mail clients of infected machines.
5.) Require that your POP/IMAP/SMTP clients use SSL or TLS. This will ensure that usernames and passwords are encrypted before they are sent over the wire. This is especially important if you have users that use free/public wifi access points.
6.) Require that you Web Mail uses SSL with an SSL certificate assigned to the Web Mail site in IIS and also force a redirect to the HTTPS:// site if they try to use the HTTP://.
If you already have a compromised account, refer to the following article for information on correcting this problem: http://ipswitchmsg.force.com/kb/articles/FAQ/How-to-correct-a-compromised-account