e-mail spam

The first thing to clarify here is are the spam emails being generated by your systems and sent to your clients.  Or are you clients just getting spam emails that look like they are coming from your system, because they have your organizations return address in them.

There is nothing you can do about the latter scenario.  I can configure any email server in the world to send emails to everybody else in the world and spoof the return address to by your organization.  These emails won't go through you and you have no way to counter them or control them.

On the other hand, if you have a open web page where user A can fill out a form and generate e-mails to users B through ZZZZZZZZ with any message they want.  Then you are basically operating a web bases open relay server and it can be tough to lock this down.  You can do some things, like captcha, that try to make automation more difficult.  But even if you had a perfect Turing test, so that only human beings can fill out your form, there are thousands of human beings willing to complete forms like this for a few dollars, especially in the current economy.

Now that the soap box part of the reply is over. Steps you can try.

Captcha.  The best you can find.

One use keys in the form.  This is where when your CFML page generates a form page, create a one use unique id.  Store this id in a persistent variable and pass it to the request in a hidden field.  When the form is submitted check it against the keys stored in the ColdFusion's persistent memory.  If the key has not been used process the form, if it has don't.

Some people also try and limit how many forms can be submitted by one session and|or IP.  Say something like 10 emails from a given IP per hour.  This can be tricky to implement depending on what type of user base you have using your applications.  But I have read that people who have successfully implemented it seeing a serious reduction in the number of spam form completions.