Finding the authenticated UserWith qpsmtpd LogLevel set to 6 (the default; check using
config getprop qpsmtpd LogLevel), the qpsmtpd log files will include an "auth" line indicating successfull authentication.
The 2nd column (after date stamp) in the qpsmtpd logs is the connection/process ID -- all log entries related to a given email have the same connection/process ID and occur close to each other in time (ID numbers can be repeated, but not very often)
So - find the offending email in the qpsmtpd logs, note the connection ID, then look for the associated 'auth' entry.
A minor correction regarding qpsmtpd vs sqpsmtpd/var/log/qpsmtpd/current is where traffic on port 25 is logged. This could have be non-secure or secure depending on your server's TLS settings.
Compromised WebappsAs implied by Stafano, webapps are a common source of vulnerabilities, and their behavior may not appear in the qpsmtpd log files depending on the configuration of the app -- but you mentioned that you are finding the offending messages in the qpsmtpd logfiles. For example, a test message I sent myself using
Sogo left no trace in the qpsmtpd logs.
Here's a wiki page on reading email-related logfiles:
https://wiki.contribs.org/Mail_log_file_analysis#qmail:_Outgoing_SMTP_trafficThis google search finds a few other folks dealing with troublesome email relay problems:
https://www.google.com/search?q=site%3Acontribs.org+hacked+spam