A good first step to reduce outbound spam is to limit sending accounts to a defined hourly rate. Here's how to accomplish a simple hourly rate limit for each authenticated user in Exim:
ratelimit = 50 / 1h / strict / $authenticated_sender
This isn't the holy grail of spam prevention, but it will stem the damage that can be caused when a spammer compromises an account.
Lena Kiev has documented a more comprehensive abusive account solution for Exim in the following Github Wiki page: https://github.com/Exim/exim/wiki/BlockCracking. If you have the resources to implement a fairly comprehensive set of changes to your Exim configuration, Lena's approach has received good reviews from the Exim Users mailing list.