Better to prevent spam and not to look, because in many cases the user simply hacked and does not know that his account sends spam.
Spam can be sent in two ways
1) installed the mail server (e.g. exim)
2) Directly from php, perl, etc.
\r
To prevent spam you need
1) To prevent sending a first option to set limits for users, if you have exim, similar to
this. Of course, follow the instructions, don't, just watch there realized
2) Close the iptables means all outgoing connections on mail ports to all except a user running exim