A good first step to reduce outbound spam is to limit sending accounts to a defined hourly rate. Here's how to accomplish a simple hourly rate limit for each authenticated user in Exim:
ratelimit = 50 / 1h / strict / $authenticated_sender
This isn't the holy grail of spam prevention, but it will stem the damage that can be caused when a spammer compromises an account.
Lena Kiev has documented a more comprehensive abusive account solution for Exim in the following Github Wiki page: https://github.com/Exim/exim/