You're assuming, of course, that all those compromised have a Mac.
Additionally, since the e-mails in the sent folder have "Apple webmail" or "MobileMe Webmail", this implies that the sent mail passed through the webmail service.
If an attacker had your username / password combo, and could pull your contacts, it would make more sense to send through SMTP directly. Since SMTP doesn't place a copy of the message in the "Sent mail" folder (Your mail client does this with IMAP), the spammer would leave essentially no trace.
The fact that header suggests the messages were pushed through webmail is what concerns me.