Turns out that the problem was due to a flag which allowed email from cloud@lists to be auto allowed. We aren't sure who set it back then or why.. but it is a 'legacy' feature so it should have come from the import from the old list. The flag has been turned off and we should not have it occur anymore.

I will be trying to delete the various spam from the archives since it could be links to malware and other bad stuff.