We have been a victim of this several times in the last couple of months. The spammer creates a legitimate account and then has a robot that he/they use to drive squirrelmail to send their spam. We have had to put a number of measures in place to prevent this form of abuse.
Such spammers can be *very* persistent. One of our faculties operated a web based mail system for students (not Squirrelmail) and had a very persistent hacker who systematically worked around what ever restrictions they put in place over a period of a few months. They finally made it more trouble than it was worth to abuse.
Yep, sounds like the same sort of character. One of my obstacles, which wasn't visible in anyway only took him 2 hours to discover !! He was also quite happy to buy services using a stolen credit card in order to get access to webmail. Our current position is that we have put sufficient obstacles in place that do not adversely effect legitimate customers that he has not tried again for a couple of weeks now, but an awful lot of spam was sent through us while I was doing my best to get (and stay) ahead of him. So a general warning to people running webmail to be on the lookout. Look for multiple successive send 'POST's with between 20 and 50 receipents. This is not activity that someone using a browser is likely to produce. Glen.