Stopping open proxies and open relays

First step is correctly to specify the system's properties.

Yours is not a technical issue but one of user negligence. You have
to build the solution around this fact.

Curative measures that have worked elsewhere are:

1-Scan every client when it accesses

2-Disconnect compromised clients or route only to a warning page
   allowing access only to your tech support

3-First cleanup and advice to owner of compromised machine on how to be
   a good internet member is free; second costs $100; third results in
   permanent discontinuance of service and refusal to accept back as
   a client.

These measures will fix your problem.

Jeffrey Race