I had a spammer hit me last night. The first thing I went to was sendmail.log. He was still sending mail and I happened to see the formmail he was using and deleted the account. He had 12 formmail scripts. If he would have finished before I caught it I'm not sure how I would have found him.
We need sendmail.log or something that will show what scripts are sending mail with sendmail/exim. The email headers do not help. [email protected] is not very useful.
Normally the procedure here is to do a massive grep in domlogs, wherever you have them. (/usr/local/apache/domlogs usually)... for patterns that match the domain(s) being offensive of the sites they are representing. Or just searching for a particular HIGH frequency of &formmail.cgi& and all variations will point you to a formmail abuser.
Agreed, a separate log that can reveal this for the SMTP server alone would be very helpful- and definitely, not everything can be expected to go to suexec *yet*
just keep in mind domlogs can give you clues if not a final culprit in most cases- just be sure to calm the server in question before you do it.
(i.e. , kill cppop , kill apache for a couple moments)