I am having problems with someone sending spam from our server. Sendmail is closed to relaying, but there are 1000s of returned mails in the nobody mailbox (apaches user) and 100s in the mailqueue. The only way they can be sending it is through an attack through php, we have searched high and low on the server for users running scripts and looked through the http logs of users and cannot find anything.

Anybody got any ideas or experience?

:(

well, there are the option of you being A. hacked and someone is spamming, B its the wellknown cgi program. I think that may be your problem. First off, empty the queue, then search for the program. you should also be looking for large text files which store the emails.

also you can check running cgi programs (if it's a real cgi) with ps -aux and then run a find to find in which directory it's stored

look for formmail.pl