I have now determined that a particular user has been infected with a trojan causing the sending out of the mail through their account. I have diabled them whilst they clean their system.
I had thought that if no domains were enabled for relaying that they could not relay through their own domains. This appears not to be the case although if trying to smtp this does get blocked