The users on the domain of one of my sites are receiving lots of unreturned email which wasn't sent by them.

Could this be a security issue in the sense that someone is using our server to send email through form mail.cgi on the server. or is this just regular spam, i'd say on average about 10 emails a day are received.

Any advice would be appreciated,

thanks.

formmail.pl is notorious for it's use by spammers. It was even placed at #3 for the top 10 attacks for the 1st quarter of 2002: http://www.securityfocus.com/corporate/research/top10attacks_q1_2002.shtml

I would recommend making your own script, or using one such as http://www.webdevfaqs.com/php.php#mailer that hard codes the recepient address into the form handler. Note that the script above is written in PHP.