Maybe you have had set up a weak account name / password combination, like test:test? This would be one of the first combination tried by spambots. Then, they are authenticated and use your server to send mail.
personally, i'd like to suggest strongly to implement an anti-spam gateway in front of mail server to get better protection.
i know that spamassassin can do something, however, another commercial anti-spam gateway should be there.
you know, it's just like you will still purchase anti-virus softwares (like KAV, Sophos, Trend), even you already have clamAV.
(by the way, just curious where is your location? )
Maybe you can try with postgrey or policyd too. It works so fine on my server.
Be aware that the code base the bots run is getting smarter and will retry if it receives a 450 error. The use of good RBLs, SaneSecurity signatures and additional SA rulesets will harden your installation.
If you add Barracuda you will need to register (free) your DNS IP addresses at BarracudaCentral.org - Technical Insight for Security Pros
Oh, Thanks, Many tasks you've suggested and After applying some of them,I will write the result here.
But about upgrading, I scare that all mails maybe delete. Is upgrading painless?
As I'm using community edition, is there possibelity to getting backup from everything, but painless and easy to perform?