Have you ruled out Virus activity? if not I suggest turning on SMTP logging (if not already on) for you SMTP gateway and look for suspect IPs, IE an ip of a workstation talking to your gateway, this should not be unless that machine has a need or design to do so. They shouldn't be hard to find, indicitive of a virus launching its own SMTP engine and pounding out messages from a legit IP address on your internal subnet.