I opened a ticket today with Symantec, it was an odd issue that was occuring, it is still occuring but I have created a rule to stop the end users mailboxes from being flooded with NDRs.
Basically our email addresses were being spoofed on the outside to send spam, however the recipient address was the same address as the senders. The spoofed message was classified as spam, so the appliance sent an NDR to the sender (which was the same address) and ultimately the NDR was still delivered it to our local domain.
This is why we did not see any traces in the audit log for these messages, because it was the appliance which generated the NDRs.
I believe this is a concern, but the appliance is working as designed, from a process perspective. It is concerning to us though.