We had secured the formmail.pl with the anti-spam version, and we had searched all httpd logs while the spamming occured, but there wasn't any suspicious call to cgi scripts. We think it could be something harder to check, which is PHP.
Could you perhaps grep the apache log and count each time a php script was called and see which ones were called the most in a certain time period? It might give you a list of scripts to start checking.
-Jim
