Disable localrelay without authentication- how to do it and should I do it?

I run a very small VPS with a few clients that I have developed sites for. I've discovered that at least one of them is infected and sending out spam. I discovered this when I started getting emails like this: lfd on vps.xyz.net: LOCALRELAY Alert for vibre Time: Wed Sep 24 09:28:45 2014 -0700 Type: LOCALRELAY, Local Account - vibre Count: 101 emails relayed Blocked: No While I work to figure out where the infected files are can someone tell me how I can disable the ability for scripts to send email without authenticating via SMTP? Are there any downsides to doing this? What would you do if you were in this position? Thank you!