Yeah I found the specifics.
IPS:
[SID: 21596] Audit: Jabber IM Client Connection detected. Traffic has been allowed from this application: C:\Program Files (x86)\Research In Motion\BlackBerry Enterprise Server\MDS\bin\bmds.exe
There are no Active Response entries after these IPS notices.
Upon further research, turns out users have put What's App on their BB devices, which uses the Jabber client and can integrated with BIS or BES so that explains that. One of the flagged destintation IP's was 69.171.241.10 which belongs to FaceBook inc.
So this might have nothing to do at all with this spam issue, however the fact that the source IP for the "attacks" is the internal IP of the Exchange (and BES) server, it still makes me wonder.
According the The CBL, this client's public IP is listed and it's telling me they have the waledac spambot. I honestly have no clue if this is at all accurate or not, or is The CBL just giving automated responses to characteristics of a spambot but in truth it's really Facebook's filters reporting these IPS alerts...or....er...mental failure....shutting down, brain overload limit reached...0x0000000!
Anyway, I have no clue so I'm also pursuing this as a real spambot issue on the network. I've used SEPM to push a Full Scan to all systems. 50% completed with nothing found - 1 system had Error, but iI suspect it was mid-scan when the user flipped the laptop shut. The other 47% of systems are probably laptops that are not online, since the daily Client Status report sent to me showed a full half of the computers not online.
Anybody know a good "spam botnet removal" method? :) I'll read up on waledac now. If the IPS or SEP angle can still be leveraged, pleaes feel free to advise. Thanks again.