How to identify a script sending spam through Postfix

How (step by step):

• Switch to a user with sudo rights
• Check the mail queue with command mailq
• The first column of the mail queue list shows unique mail ID's, pick one from an obvious spam email and copy it
• Check this email's details with command postcat -q using the unique mail ID you copied in place of
• Identify the line starting with "X-PHP-Originating-Script". This should show which script is generating the spam emails
• Remove the script, patch the website with latest security fixes and make sure folder and file permissions are secure
• Empty the mail queue with command postsuper -d ALL
• Check the mail queue again with command mailq to see if more emails are now generated. If the problem persists, repeat the above steps and see if you find other scripts causing you problems.

Source: http://frontmag.no/artikler/how-identify-script-sending-spam-through-postfix