Check the /var/log/exim_maillog, and see if you see any patterns. Maybe grep the outlook for "<=" (the sending address) or look for "courier_login" or "dovecot_login" to see if maybe you have a compromised email account password. You could also look for "exceeded" or "failed" or "quota".
If you do not have any mail send limits, you may want to limit the hourly rate. We use 600, so we do something like this to look for accounts sending out a lot of spam:
Code:
exigrep exceeded /var/log/exim_mainlog | grep 600
There are all sorts of things you can search for in the mail logs to help track this down. Pattern recognition comes in VERY handy when digging through large logs.