Checking Apache for possible hack
1. Edit php.ini sendmail_path = /usr/local/bin/phpsendmail create a filter file wrapper. I saw this one and it is very handy. /usr/local/bin/phpsendmail #!/usr/bin/php <?php /** This script is a sendmail wrapper for php to log calls of the php mail() function. Author: Till Brehm, www.ispconfig.org (Hopefully) secured by David Goodwin <david @ _palepurple_.co.uk> */ $sendmail_bin = '/usr/sbin/sendmail'; $logfile = '/var/log/mail.form'; //* Get the email content $logline = ''; $pointer = fopen('php://stdin', 'r'); while ($line = fgets($pointer)) { if(preg_match('/^to:/i', $line) || preg_match('/^from:/i', $line)) { $logline .= trim($line).' '; } $mail .= $line; } //* compose the sendmail command $command = 'echo ' . escapeshellarg($mail) . ' | '.$sendmail_bin.' -t -i'; for ($i = 1; $i < $_SERVER['argc']; $i