Spammer has relayed through my server using a forwarder (no real account) as authentication

An account hit it's email defer limit yesterday so I look at the outbound email and I see a load of email saying it's gone out from a local alias/forwarder (no email account). Mail report shows Event: success Sender User: ClientUser Sender Domain: clientdomain.com Sender: ForwarderNoAccount@clientdomain.com Sent Time: Oct 31, 2018 12:10:12 PM Sender Host: SpammerIP Sender IP: SpammerIP Authentication: courier_login Spam Score: 0 Recipient:recipientemail@anon.com exim_maillog shows 2018-10-31 13:10:52 1gHqGo-0006LX-TY <= ForwarderNoAccount@clientdomain.com H=([SpammerIP]) [SpammerIP]:49169 P=esmtpa A=courier_login:ForwarderNoAccount@clientdomain.com S=1493978 T="Goods Order" for recipientemail@anon.com 2018-10-31 13:10:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gHqGo-msgID 2018-10-31 13:10:52 1gHqGo-msgID SMTP connection outbound 1540991452 1gHqGo-msgID clientdomain.com recipientemail@anon.com
Sorry the post is not finished but it won't let me edit it in any shape or form! I was in the process of removing the exim log lines from 2018-10-31 13:10:57 onwards It was also meant to end with... How did they send this mail out? There is no user/password for the account ForwarderNoAccount@clientdomain.com and my server is not an open relay.