Problem now sorted!
Breun, you were right. It made me go back (with a clear head) and look again at what was going on. Using the guidelines
I was able to isolate the spam message headers:
Received: (qmail 1156 invoked by uid 10112); 6 Aug 2009 18:43:46 +0100
Received: from by server.domain.com (envelope-from <firstname.lastname@example.org>, uid 48) with qmail-scanner-2.06st
I looked up the uid 10112, and it belonged to qscand. What I should have been looking up was uid 48, which was the true source of the spam. This turned out to be a compromised account, whose password has now been changed to something better!
With regards to the qscand trail, I looked in /var/clamav/ and I saw files such as lott.hdb, phish.hdb, honeypot.hdb etc. which (I believed) I hadn't seen before and assumed that they were installed through a compromised login. Have since found out that they are signature databases for ClamAV.