thx for reply
the interesting things:
i never changed the MX record
the used mailadress contains a subdomain that was created by confixx
the email adress can be found via google
the service got shut down one year ago
MAIL TO: [email protected]in - missing last letter of username
the attackers then(after succeedin ) used the subdomains name as "FROM:" with different username ([email protected])
the CNAME record was deleted after 10 minutes but yesterday i got a spammail again (adobe OEM with random textarea)

i'm curious :
would it be possible to use such behaviour as mailworm/spam trap
in my opinion it could work