You appear to be between a rock and the proverbial “hard place”. It can be hard to deal with this, but make no mistake: the situation you described, if you have been completely candid, sounds very much like one or more of your form processing scripts or your applications has been exploited.
It does happen; happened to me once when I, out of laziness and misplaced trust, allowed an “up to date” formmail script, used by a client who transferred to me from another host, to remain on the server.
Spammer exploited the script and punched out a bunch of emails. Very aggravating to have my email sending capability terminated when I have never sent a spam in my life. The fact is, reviewing my logs indicated the repeated hits on the formmail script, and it became obvious to me what happened.
I resolved the matter by identifying the offending code, purging it from my system, and writing a thorough and complete account of the incidents to Dreamhost Support. Given my history of “no spam”, and the identification and removal of the compromised script, they had my email back on within an hour.
Carefully review your logs for unusual activity (your “stats” page can also help, as it will often reflect the page that got “hammered”.) Between the two resources, you should be able to identify the culprit.
Having done that, you have some work to do in removing the script and repairing that functionality with a “safe” replacement. The “over 100 subdomains” does complicate things. Having no idea what functions the subdomain provide, I could not begin to guess how complicated.
FWIW, I have never had the Dreamhost “patched” formmail.cgi form handler abused, and that is the only one I use (except that one time, and I learned my lesson).
The bottom line is, someone using one of your domains, or one of your scripts that was commandeered by some pond-scum,. blood-sucking-leech, asshle-muther-Fcker, piece-of-sh*t. low-life, worthless, son-of-a-bitch spammer, has run amok, and you have to find out what happened.
There is another possibiity that might apply you your situation. You said you had “over 100” subdomains operating as the same user. Now, 200 mails an hour can easily be generated by a popular forum with lots of bells and whistles - something like:
In 60 minutes:
20 users sign up and get and activation email =20 emails
10 messages are posted and generate notification emails to 20 users who asked to be emailed with new posts/info, etc =200 emails
Total = 220 emails
This is one of the problems with the Dreamhost email “quota” - it makes it very hard to run a dynamic site if you have any significant amount of traffic and enable email notification features.
Add to that the possibility that, in your case, if each of your “over 100 subdomains” generated only 2 emails in an hour, since they are all using the same user, that user will break the 200 email per hour limit. I strongly suggest that you not run all these domains as the same user. Run each of them as their own user. It is a major pain to manage that way, but the advantages and security is significant.
That way, if one goes amok, you at least know where to start looking as that user will be the one singled out, and all your sites will not be without email if the offender is “suspended”. I am in the same boat with this, as I was around long before Dreamhost implemented this rule, and many of my domains operate as a single user. It was really convenient to do it that way, and it is a bit of a pain oin the ass to go back now and make new users, reset all the file ownerships and permission, etc., but it has to be done: I can’t have my email, or other programs operating under my users’ email, “borked” if one site breaks, is exploited, or gets reasonably popular.
The answer to what happened lies in your stats and your logs. Seek and you will find.