Firstly, I have given all my remote users replacement passwords, and forced them into changing them.
Secondly, I have set up individual VPN channels (all address/user configurations noted) which all come into a single subnet on my router and remotely reconfigured all the laptops to use them.
After setting the VPNs, I was able to remove all but the VPN subnet in SME manager. SME9admin is no longer reporting a lot of messages going out and spam@staubigstudio.com (my recipient of unknown incoming emails) has received no more emails since I set up the VPN.
If there are any more unexpected incomings, I will change the rule on the dozen possible VPN addresses disabling incoming IMAP and SMTP as well as their secure options.
I have had a few complains that the users have been forced to use webmail in the past few hours, but they are users and I am the boss