I wonder whether the problem might be as simple as this: A contact of Tosh McCaber's has contracted a mass mailing virus. That virus is sending out spam and/or itself with a forged "from" line giving Tosh McCaber's address, even though the e-mail is actually coming from the victim's machine. When the spam is undeliverable as addressed, it gets bounced, but bounced back to Tosh McCaber as that is the "from" and/or "reply to" address.

Maybe I've missed something in the description which shows why this suggestion is a load of rubbish, but I make it FWIW.