Verify your mail.log files and try to find out via which user sends the spam.
Also go to http://www.mxtoolbox.com/blacklists.aspx
and check if your server is not blacklisted in te mean time.
To check if you have an open relay, you can use the site http://www.abuse.net/relay.html
If you have a insecure contactform in one of your websites you will probably see that spam has been sent via a systemuser.
If you use a default ISPConfig server, this is the Apache user. On Debian this is www-data, but can be different on other Linux distributions.
If you use ISPConfig with suPHP enabled, insecure contact forms are more easy to locate, because in that case spam has been sent via the webadmin of that website and not via the apache user.