do you have authentication required for fowarding. set it to use the same as pop and your real users will not see a difference. Even if your set-up requires you to use an additional password, that can be saved in the client of the user. If you don't your going to find allot of networks will not be accepting mail from you.

(sorry i just re-read your post...all mail user must authenticate, there is no other really workable option unless you want to be a spam host.)

check your logs to see the actual ip address of the spammer. black hole (if feasible) the entire subnet at your router. (drop all incoming packets)

use something like samspade and track it down and if its domestic, or in a friendly country, report it. it may help and it sure cant hurt.