I setup the "formcheck" like you advised through:
The tests were ok so the scripts works.
But when the spaming from my server began again the log file was empty.
Then I did an apt-get update and the upgrade.
I also updated from ISPconfig 2.2.27 to 2.2.35.
Still the spamming whent on.
When "grepping" throug the enormous log file I can't find out who is sending the mails, I only can see a firstname.lastname@example.org and so on.
The email@example.com is not hosted on my server, and it seems to change from time to time to some other user.
I followed up the advise on rkhunter an chkrootkit but they did not alarm me with anything to wory about.
Infect 99% was ok, just 3 hidden directory's in /dev were pointed out to me.
They seem to hold no strange files.
THEN i did what stopped the spamming the last time!!
I deleted the whole postfix que with the following command:
postsuper -d ALL
It then deletes some 2000 mails and the spamming stops(for now).
Do you have any idea why that helps?
So it is not a php form abuse.
Checked the server thoroughly, what could it be?
Any Idea's where or what I should be checking would be much appreciated.
Thanks for your help in advance.