@squibm
As far as I can tell none of the core Subscribe2 files can be called directly as they employ the recommended WordPress security fail safes of ensuring WordPress is running first.
Additionally, all email functionality within Subscribe2 is performed via the core WordPress wp_mail() function so any attempt to directly call the plugin files would fail if WordPress has not been called as the core functions wouldn't be available.
I suspect your site was compromised some other way and the spammers had access to the admin area of your site at the time of the email creation.