I have see quite a few cases where spam is sent from webmail accounts (mostly squirrelmail) by crackers who get access via weak passwords found by imap/pop probes as you described.
It's been my experience in the 15 years we have been doing support for regional ISPs that well over 50% of their user's passwords are easily cracked, and that getting the users to use good passwords is difficult to say the least.
Seen that too. Spammers must send out millions of messages to make any money. One good solution is ratelimiting at the MTA. Exim allows you to setup limits on the number of recipients a given IP can send messages to in a given time period. Squirrelmail has a plugin that does the same. That way if they break in to an account but can only send a few hundred messages a day its not worth there time. Less likely to get the server blacklisted as well. Its also good to configure Squirrelmail not to allow them to alter the return email address on the Squirrelmail account.
Matt