Okay, has the original addressee subscribed threads of the forum?

I don't know but I guess I could find out. Still the email didn't look like an automatic email informing a user about a post. It looks to me like some spammer somehow was able to use the "send email via the board" option, spoofed the sender and got the email out. If that could happen once it can happen again.
My main concern here is that the mail server from this VPS gets blacklisted, something I absolutely don't want to happen.

So, for now I put an empty file with the name contact.inc.php in the includes directory, removing the option to send emails via the board. That should effectively stop anybody who wants to send spam via the forum.
I know this also makes the 'Contact' link dysfunctional, so be it. I might get a secure PHP contact form and use that for the contact option.

Until I know that the "send email via the board" option is 100% safe I will leave it like this.