i'm 99% sure it was php-nuke using a formmail version and loading a BCC with tons of emails..
Also, cpanel support sent me a list of items to check:
+++++++++++++++++++++++++++++++
There are generally 3 possiblities that would enable someone you do not want to be able to send spam:
1) they are sending it via a script on your server.
2) they are sending it as an authenticated user (IE they have a user/pass to use) (possibly a user that has a virus that is sending via their mail client)
3) your server is an open relay.
You may need to tighten up your SMTP server, here is a check list:
Run PHP as the user instead of nobody by enabling PHPSuExec at WHM->Software->Update Apache
Prevent the user nobody from being able to send mail:
WHM->Server Setup->Tweak Settings->Prevent the user 'nobody' from sending out mail to remote addresses
Set
WHM->Server Setup->Tweak Settings->Silently Discard all FormMail-clone requests with a bcc: header in the subject line
Set
WHM->Server Setup->Tweak Settings->The maximum each domain can send out per hour to something besides 0
Set
WHM->Server Setup->Tweak Settings->Track the origin of messages sent though the mail server by adding the X-Source headers (exim 4.34+ required)
Set
WHM->Server Setup->Tweak Settings->Include a list of Pop before SMTP senders in the X-PopBeforeSMTP header when relaying mail. (exim 4.34-30+ required)
Set
Service Configuration->Exim Configuration Editor->Always set the Sender: header when the sender is changed from the actual sender.
Set
Service Configuration->Exim Configuration Editor->Verify the existance of email senders
Set
Service Configuration->Exim Configuration Editor->System filter file to /etc/antivirus.exim
Doing some or all of those will help make it difficult or impossible to use your server for spam without being authenticated. And it will leave a trail of what script/user etc it came from so you can stop it ASAP if it does happen.
