The most likely reason is a hacked website. Check the headers of the emails in the mailqueue with postqueue and postcat commands.
How did you go about doing this, I'm sure lots will find the the steps informative and helpful. Did you use maldet? sucuri? maillog, IspProtect and so on.
I explained that in several posts here in the forum in the past: 1) Run "postqueue -p" to get a list of emails in the queue. 2) Inspect starnge emails with "postcat -q QUEID" where QUEID is the ID of the email that you got from the postqueue command. Emails sent by PHP have a header in most cases that shows the file that has sent the email and which use has sent it, so you can find the website by user as each website in ispconfig runs under a different web user.
As till has explained: I picked one queued mail and dumped it via postcat -q QUEUEID | more I found the header line "X-PHP-Originating" which pointed to the website ID and a script name. After a "locate script.php", I was able to find and delete that script (a wordpress installation got hacked and was used to inject some code).
