I am having a difficult time getting this particular wave of spammers. I've been able to find the issue in the past, but not this time. I'm sure it's a compromised password but unable to find the username being compromised. I log the exchange server, IIS logging, HTTP error logging, SNMP logging events, Security, so on. Below is a snippet of the exchange log. Any help would be great.
2012-8-27 18:31:29 GMT 220.127.116.11 User - servername 192.168.1.1 firstname.lastname@example.org 1020 SERVERJhsvmenBHvjds000038f0@SERVER.DOMAIN.COM 3 0 4164 50 2012-8-27 18:24:16 GMT 0 Version: 6.0.3790.3959 - New Message From Chase Online(SM) email@example.com