Here is a wiki page with notes on digging things out of the qpsmtpd (inbound) & qmail (outbound) logs:
https://wiki.contribs.org/Mail_log_file_analysisHere are some other possibly unhelpful ideas...
RelayRequiresAuthWith the SMTP proxy set to BLOCK, systems on the LAN should not be able to talk to off-site servers on port 25 or 465, but the SME will relay mail for an infected system on the LAN if qpsmtpd does not have 'RelayRequiresAuth' enabled.
Check using:
config getprop qpsmtpd RelayRequiresAuth
Enable it (if it is not enabled) using:
config set qpsmtpd RelayRequiresAuth enabled
signal-event email-update
Local NetworksThere used to be advice floating around on the forums to configure "0.0.0.0/0" as a "local network" in server-manager to allow remote administration - if this is done, then the whole world is on the "LAN" as far as the SME is concerned.
Check the 'local network' setup in server-manager or at the command line to make sure it looks reasonable.
db networks show
Compromised System on WAN segmentIf any of the systems on the WAN network are accessible from the Internet they could also be leveraged to relay email through the accessible system to the WAN port of the SME and from there out to the world.