[fajarpri]

Sorry to joining the discussion.
I find it very interesting. It looks like the spams are sent through the webmail.
I suspect that someone in your network is guilty.
Regarding the change password, it's still possible that he/she planted a keylogger in the victim's pc that will record and send the new password to the bad guy.

In order to make sure that indeed the bad guys use the webmail, can you turn off tomcat for while and see if the spam stops? If it continues, then he's using another mean. If he's using webmail, we can begin tracing the ip address that is accessing the webmail. Knowing this, we will be able to narrow the possibilities.