Someone's abusing our exchange server

So there's lots of unusual traffic in our exchange server, spam being received and sent all the time, from and to different IPs, it's just a matter of time before we get blocked by pretty much everyone...

I'm just an above average user doing tech support... what I've done so far is checking that exchange's configuration doesn't allow open relay... and used wireshark to watch traffic a little bit... I can see a lot of traffic but have no clue about what else to do...
I've followed every tutorial I've found to correct exchange's configuration.. clueless already

any ideas guys?

halp

Buy an IPS

Force all users to change password at next logon

virus scan everything with more than 1 scanner include boot time scanning

Unsure TLS/SSL is enabled for authentication

Harden your server / firewall configuration

What version of Exchange are you running?

>3

linux