How to Determine Which App Is Sending Spam
If you discover your server is sending spam, your primary concern should be determining which of your apps has been compromised and fix the problem there.
First, look for any unusually large PHP mail logs for your apps.
SSH in to your server as each of your system users and run this command, replacing SYSUSER with the user you have SSH'd in as:
ls -l /srv/users/SYSUSER/log/*/*.mail.log
Some apps intentionally send large volumes of legitimate mail, but this command will list your mail logs by size, helping you narrow your search for the offending app.
Once you determine the app you suspect is sending spam, check its PHP mail log, located at the following path:
(SYSUSER is the app's system user, APPNAME is the app's name, and X.Y is the app's PHP version.)
There you will see how many emails your app has sent.
Now, look for entries that will help track down the malicious code. Each entry in this log file will show you the details of which script sent the email, who it was sent to, and the email headers.