Relay Problem / Spam

hello i am getting trouble with my one domain. exim getting connections from different ip addresses and one domain sends lots of spam mail.
there is track delivery logs from this domain.

Code:

Event:failure 
User: domainuser
Domain: mydomain.com
Sender: play@example.org   //spammer address
Sent Time: Nov 24, 2016 3:32:15 PM
Sender Host: ip70-170-53-xxx.lv.lv.cox.net
Sender IP: 70.170.53.xxx  //spammer ip (there is lots of different ip addresses)
Authentication: dovecot_login
Spam Score: 0
Recipient: someusr@domain.com
Delivery User:
Delivery Domain:
Delivered To:
Router: enforce_mail_permissions
Transport: remote_smtp
Out Time: Nov 24, 2016 3:32:15 PM
ID: 1c9tCD-00064r-KH
Delivery Host:
Delivery IP:
Size: 30.77 KB
Result: Domain mydomain.com has exceeded the max emails per hour (125/100 (125%)) allowed. Message discarded.

i did not understand how this is possible. exim not accept open relay connections. and this guy sends lots of mails from my domain with different mail address.
i changed 3 times for this user password but spams still coming.
i scanned web folders for any harmfull script but nothing found.
any solution?

 

here is another track delivery log with success

Code:

Event:success
User: domainuser
Domain: mydomain.com
Sender: play@domain.org
Sent Time: Nov 24, 2016 3:09:15 PM
Sender Host: 170-231-226-19.static.example.com.br
Sender IP: 170.231.xxx.x
Authentication: dovecot_login
Spam Score: 0
Recipient: someusr@domain.pl
Delivery User: -system-
Delivery Domain:
Delivered To: >play24@example.org
Router: check_mail_permissions
Transport: address_reply
Out Time: Nov 24, 2016 3:09:15 PM
ID: 1c9sqS-0005ku-9f
Delivery Host: localhost
Delivery IP: 127.0.0.1
Size: 30.92 KB
Result: Accepted

how this is possible, the guy sends mail with different domain mail from my mail server?

 

yea, i changed domain main user and mail users passwords. at the end i found the problem, one of mail users computer infected kind of crypto virus and after entering password on outlook client spams starting again.

here is part of exim_mainlog

Code:

2016-11-28 15:16:11 1cBKqw-0006To-UL <= noreply@example.it H=(8.27.123.27) [8.27.123.27]:53040 P=esmtpa A=dovecot_login:user@mydomain.com S=5311 id=0FF5B4AD86527CCF13165FEBEFC267FD@sda.it T="si dispone di una spedizione" for stefano@domain.com
2016-11-28 15:16:11 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1cBKqw-0006To-UL
2016-11-28 15:16:11 1cBKqw-0006To-UL ** stefano@domain.com R=enforce_mail_permissions: Domain mydomain.com has exceeded the max defers and failures per hour (25/25 (27%)) allowed. Message discarded.

in this situation, attacker obtained my mail users password, and authenticate with his credentials to mail server then start spamming with different mail address as sender.
how can i block this? sending mail as different sender accessed with user@mydomain.com