If you're not willing to shut off CGI access or FTP access (and personally, I'm not):
1) Make sure you've got /tmp in it's own partition, mounted noexec.
2) create a Terms of Service document which holds your users responsible for all spam sent through their account.
3) Make sure all your users get the document and know when it takes effect. Also tell them how to use hard-to-guess passwords and make sure they understand that if their account gets used to send spam for ANY reason, they've violated your terms of service.
4) Sign up for an AOL feedback loop
here. AOL will then send you copies of ALL emails marked as spam which they get from your server; that's a great early warning for spam because just about all spam lists have AOL addresses on them.
5) When you get the spam find it in your logs, and shut down the user's account.
Note that this is NOT specificallly what I do, but it's certainly a good start.
Generally, do not tolerate users whose accounts send spam, whether it's because they do it intentionally themselves, or simply allow because of poor software choices, or if their software gets hacked, or if their passwords get hacked.
Jeff