I ended up on a blocklist. Problem solved quickly, it happens unfortunately.
I use throttled set to delay at 200 messages / hour as a standard setting for all users
Unfortunately a user's password was stolen and before I could intervene the damage was done
In addition to the fact that I think I will change the approach, that is, I will set the throttled to reject, setting it to delay only to users who request it and after appropriate evaluation.
However, I realized some things
1) When cases like the one described happen, they usually do auth smtp using the user whose password they stole and then start sending emails with different sender to different recipients
2) They increase the messages to Unknown Users
It would not be the case to intercept these two events.
For example, a smarter throttled that goes from delay to reject, or that requires admin approval when a situation like the one described occurs?