By simply adding the following two lines into your /usr/local/php/php.ini you can track down pretty much any outgoing spam which is using PHP mail() function.
Minimum required PHP version is: PHP 5.3
mail.add_x_header = On mail.log = /var/log/phpmail.log
The first one adds a header to all outgoing emails sent by PHP scripts.
With these in place your emails will have the following headers:
** The number 505 is the UID, the file.php is the script sending the spam.
An example of log in the /var/log/phpmail.log
mail() on [/home/USERNAME/public_html/wp-content/file.php:83]: To: email@example.com -- Headers: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Content-Transfer-Encoding: 8Bit X-Mailer: Drupal Sender: firstname.lastname@example.org From: email@example.com