I've been concerned with a simillar issue and since our mailserver a-vir scanner acts as a proxy and modifies the headers I couldn't see the originating IP of the mails even when I turned the smtp agent log to a higher level. So just looked at the mail scanner documentation and turned the debugging on.

That way I couldnt capture the originating IP of the "offender" which came out to be somebody from the people my users did have mail discussions. Another possibilty is that one of the machines on your network is infected and uses your SMTP.

Of course it doesnt hurt to install rkhunter and check your system for rootkits and vulnerable apps.