If you have SSH access to a server it's pretty easy to see if any accounts are sending out large amounts of email ( through exim ), to do this log into the server via SSH and run the command:
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
The above will list the accounts that have been sending out emails like below:
434 /home/site1/public_html/blog
1012 /home/site2/public_html/blog
2129 /home/site3
16808 /home/site4/public_html/assets/docs
From this we can see that site4 has sent 16808 which will be the culperate, so we need to find out where the email is being sent from, to get this run the following command:
ls -lahtr /home/site4/public_html/assets/docs
This will list the docs like below, in the list we will notice that one file is owned by nobody, this is probably the script that is sending out so thats a starting point.
-rwxrwxrwx 1 burysted burysted 16K Mar 1 2010 license.txt*
-rwxrwxrwx 1 burysted burysted 70 Mar 1 2010 index.html*
-rw-r--r-- 1 nobody nobody 32K Oct 20 2010 db.php
This is the easiest way I have found for finding compromised accounts, however you can guarentee that there are other files within the account so you'll need to find and remove all of them