I run a small server hosting sites for around 100 unique clients. I've had issues with my legitimate mail server showing up on DNS Blacklists, so I need to find out if one of my many clients has a bad script somewhere sending junk through my SMTP Virtual Server in IIS6.
I have email sending out correctly, I have relaying set to only allow for 127.0.0.1, so I know that someone somewhere on this box is allowing bad mail through the service. I've enabled all logging on the SMTP service, but it doesn't give me any clue as to which script (most likely a Classic ASP VBScript application) is the culprit.
With IIS6 and the built in SMTP server, I think you're going to be out of luck. The built in SMTP server is pretty limited in its functionality. Outside of writing some kind of plugin (which you can do) or buying a plugin that can implement scanning and logging of the SMTP message envelopes, you're not going to get much more information that what you have now.
As mentioned by jdw in his comment; I have used exim in the past for this specific purpose, and I find the linux based MTA's much more flexible and powerful for this kind of thing. But that doesn't help you if all you have is an IIS box.
Since classic ASP is plain text you could do a text search across the server for common ASP commands for sending mail such as
From there you should be able to see how the script is setting up the 'from' address. I'd say that any scripts that have a dynamic FROM value or alternatively if you have known junk consistently from the same email address just search for that email address.
Going forward I'd strongly recommend only using authenticated SMTP.
This is strictly theoretical but I read an article on a similar situation a while ago. You should be able to use a Wireshark type product configured on the loopback address to get a packet capture containing all the references to your default SMTP connector. Might be worth looking into.
http://wiki.wireshark.org/CaptureSetup/Loopback