Email Spamming

There are two methods of sending email, both of which spammers use:
1. Sending Email Through Your Email Account

Just like you do, if a spammer gains access to the username/password of your email account, they can log in and use your email server to send emails.

2. Sending Email From Their Own Web Server

This is how most spam is sent. Any server can send emails and the code can make the reply address say anything. A few lines of code could send an email from [email protected].

Most SPAM is sent using #2 above. So a quick line of code and they can send an email that looks like it was sent from your domain but had nothing to do with your domain.

Every email contains a header, which your email program hides from view. This header contains all sorts of information about where this email came from and how it was sent. It is often very easy to confirm that the reply address with your domain did not actually originate from your server.

Not necessarily, @bluvia. If your site doesn't have a proper captcha system, they can use the comment forms or the password recovery forms to inject malicious code into your php and simply use sendmail to bombard with over a thousand emails per minute. If you suspect something like that is happening, the best bet is to disable postfix and repair the website. If the website is not repairable or it would take a lot of time, restore a previous backup.
It's recommended to use Google ReCaptcha in most php enabled websites to ensure that malicious scripts do not gain access to the php command line.

You could install WordFence in case you're using wordpress. It scans all your website for modified files and attempts to automatically fix them.