I've been hit by the same problem. My mail host reports nicely back on each undeliverable mail - in the thousands now. As described above, the original mails (including the original headers) are appended to the "Mail delivery failed: returning message to sender" mails I get. And, of course, it doesn't make sense to report my own mail host as spammer...
Using Thunderbird as mail client, I have developed a scri_pt which parses the Thunderbird INBOX file and extracts the original "Received: from" lines. Seems like there are to kinds:
"Received: from mail.xxxx.com ([123.456.789.123]:<port number> helo=exploited.site.com)"
"Received: from [123.456.789.123] (port=34176 helo=exploited.site)"
(mail.xxx.com would be the name of the mail server sending on behalf of the exploited site.)
It seems like - in my case - that they come in groups of up to 5, and then the source changes. In a sample of 2070 there were a total of 782 unique IP sender addresses.
The text included in the original mail (spoofing my mail ID) varies sligthly - I've seen French, English, Polish, Italian texts, but more or less to the same adult point.
Now, this is all very interesting, because now I have a view of the bot net used.
But then what to do next? Since it's not doable to copy/paste each individual original header into some reporting tool - and since, in principle, the exploited domain owner should report the spam - can I then take this extracted information (mail server ID + IP address + exploited domain name) and report this on SpamCop or somewhere else?