I dont understand what you mean? users are on the secondary MX server. The primary one is just a scanningproxy that should filter off all the unwanted mail.
There's been a rash of spam being sent directly to secondary mail servers lately... I read this on some forum somewhere, and when I checked the Qube on my desk that is just my gateway and backup MX server (in case my colo RaQ went down), there was a LOT of spam sitting in the inbox there.
If your secondary is listed publicly (which it obviously is), the spammers may be sending to it first, bypassing your primary (and thus bypassing your spam scan).
Not sure how to get around it, other than removing your secondary from DNS, so that all mail for your domain(s) is sent to the scanning box. Maybe there's a way to forward it "internally" to the secondary that doesn't use DNS MX records...?