Determine which user account(s) has been compromised. There are several ways to do this:

Open the SMTP log and search for the word "Authenticated".  Each line you find should show the user that authenticated. Hit "Find Next" repeatedly in the text editor to see if you can establish an account that is authenticating too frequently. If you suspect a particular account is authenticating too often, search the message thread to see who the mail is being sent to. If the recipient looks like a spammy address (johndoe@yahoo.com.tw johndoe2@yahoo.com.tw), then you have likely found one of the problem accounts. 

Alternatively, you can look directly in the spool to see if you can determine what account authenticated to send the message.  Generally after an account is compromised, there will be thousands of messages backed up in the spool. Find one of the files that starts with the letter "Q" and open it with a text editor. There should be a line in that starts with the letter "A".  The user account on this line is the one that authenticated to send the message.