Many Linux servers using Exim to send out email. WHM CentOS servers too and this is how to discover where are scripts which sends most emails on server.

Get how many times mails was sent from some folders/scripts:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
Get list of files in that directory to find out which script can cause spam:

ls -lt /directory/path/here
on the top will be last modified/created ones. Once found bad script, if one wish he can rename, delete or edit it.

if the script content and name looks unknown, one can see by above command its creation/modification date and if he cant create it at that date, the file could been injected somehow and we may want to block IP of the person who used this file to spam or whatever..

to discover IP who accessed that file, one examine apache access log file. On WHM/cpanel linux server it is at /usr/local/apache/domlogs/ on other servers usually in /var/log

so to get only lines that contains that bad script name one can do:
cat /usr/local/apache/domlogs/ | grep badscriptname.php
Note: for cpanel access logs: cat /home/cpaneluserhere/access-logs/*|grep badscriptname.php

one can then examine other log files to see what else was done by that IP on the server. Block IP by firewall, report IP to its internet provider etc.

Another approach to find spamming script is to find spam e-mail log entry in /var/log/exim_mainlog and copy hour and minute of the log entry, then show access log and filter out entries matching that hour, minute cat accesslogfile|grep "12:05. Maybe hacker accessed that mailing script around that time.