Our guess from the information here is that most likely you have had a client's account compromised by a weak password. The other possibility is some type of web application or similar which generates email for you, which may have been compromised.
The first thing we would recommend doing is to take a look into the mail queues and try to look at an individual message to determine where it has come from since you have had no luck with your logs. If you can't do that, then you are going to have to increase logging to see where these messages are coming from.
We also would recommend making sure that you have a password policy for your clients such as minimum lengths including non-alpha characters. Depending on how difficult it would be to change your user's passwords you might just try that to start with. Lastly, you will need to delete the mail queues or you will just get listed again.