By simply adding the following two lines into your /usr/local/php/php.ini you can track down pretty much any outgoing spam which is using PHP mail() function.

Minimum required PHP version is: PHP 5.3

mail.add_x_header = On
mail.log = /var/log/phpmail.log

The first one adds a header to all outgoing emails sent by PHP scripts.
With these in place your emails will have the following headers:

X-PHP-Originating-Script: 505:file.php
** The number 505 is the UID, the file.php is the script sending the spam.

An example of log in the /var/log/phpmail.log

mail() on [/home/USERNAME/public_html/wp-content/file.php:83]: To: mike@domain.co.uk -- Headers: MIME-Version: 1.0 Content-Type: text/plain; charset=UTF-8; format=flowed; delsp=yes Content-Transfer-Encoding: 8Bit X-Mailer: Drupal Sender: mike@domain.co.uk From: mike@domain.co.uk
Don’t forget to install mod security with automatic update of rules within you CWP to prevent any further hacking of your sites.
Tagged: