I have the same situation with one of my domains and basically I enabled SPF and that's all I can do. I analyze all the bounce backs and it's not originating from my location (based on IP's of senders and the fact I get the SPF failure bounce back as well).
This has nothing to do with the host and everything to do with the internet.
I blame the host as they claim my information was stolen, but then they admit that they do not require any security when using a mail client. Just put in their default server information and you're good to go. If they would have set up SSL i don't think i would have had this problem.
I have used Google Apps, Outlook.com, DreamHost, Hostpapa, Fatcow and never had this problem until this last Friday with Hostgator- who puts EVERYTHING on their "help site" so they don't have to provide support. It even took 3 calls and "online chats" to get a ticket created for the abuse department. otherwise the poorly trained reps would just pass the buck after 1hour+ on hold and say it was fixed.
it is an issue when they're wide open and anyone can send email through them. That does become a big issue. Especially when it becomes a hosting customer's problem when the host won't help correct their mistakes.