My mail server is on the Blacklist and I figured it was a client that might be causing the issue. However, since the office was closed this past weekend and all PC's were turned off. I am now thinking that maybe the mail server has been comprimised. Is there a way to tell? I pulled a lot of the mail logs last week and seen nothing strange, but not sure what I am looking for other than a bogus user.
I find the 2 most common causes for outgoing spam are compromised passwords via phishing spams or brute forced POP scans and insecure mail forms via a website. The 1st generally shows up as a lot of bounces returning to a users Inbox, and then it's too late but a forced password change prevents more injections, and the 2nd can be detected by noticing a lot of outgoing smtp connections sourced from your own webserver IPs. To catch the 2nd one sometimes I rename /usr/sbin/sendmail to sendmail.orig and put in a shell script that logs the entire message and then calls sendmail.orig and that will reveal ongoing php/web sourced outgoing spam. These points may be obvious to you, but it may help.
