Hopefully the issue is now mitigated. Had to stop the service for about an hour and delete the affected files from the spool folders. I forgot I had a utility
https://www.funduc.com/replace_studio_pro.htm so I didn't have to write my own. Good search/replace product that you can then delete files that are found. No reason SM can't have some type of spool search and cleanup utility to handle this crisis, it's not the first.
Anyhoo, I'll keep an eye on it. As always, you get better from these things, more things locked down, better firewall rules, etc.
Lessons Learned:
1) SM needs a tool to cleanup the spool
2) Blacklist IP and drop down actions don't seem to work from top outbound IP list
3) Stopping the SM service is not killing the process and in some cases you can have two MailService processes running - bad!
4) CLAMAV is super flaky/unstable
5) UI is very sluggish at around 30K+ messages in the spool
6) I need to learn more about "service access" for each email address so only some accounts that are not used by people have better control over what those accounts can do.
7) Hackers are smart people, they should put their talent to better use, this cost me 7 hours of my day so far.