I understand your frustration better now, and I realize my post probaly didn't provide much help. I think what I was trying to empasize was that my logs did not show any obvious problems. I missed those "twice an hour" form accesses (and they were single accesses!) the first several times I looked for them; they just didn't stand out! There were not "hundreds" of access in the log...Just a few that generated "hundreds" of "bad" email messages due to the exploit script not working as the author intended for it to. Again, there was no corresponding access in the logs to associate with a given instance of a spam message.
It was only after carefully dissecting the bounce announcements, and their attached emails (showing exactly what the contents of the message that bounced was) that I was able to identify the domain from which the form had been abused. Only after going to those logs, and specifically inspecting the entries near the time the "bounced" message was dispatched, was I able to track down the problem.
Does that make any sense at all? As a last resort, if you wish, you may contact me via PM and I can arrange for you to forward me a sampling of your bounce messages (I'll need the attachments), and maybe I can help you more.
1) Have you installed anything recently with a mail function? It might be "the new kid on the block" causing the problem, since you have not hap it before.
2) Do you use the same form processing software on all your sites? If so, many sites may be involved; if not that will help you further isolate the offender.
3) Are you 3rd Party Apps all "up to date"? There have been a rash of recent security related updates on almost all of the popular 3rd Party applications.
Please don't be discouraged (do not let the net-vermin ruin you day!), and don't give up. If I cannot help you figure it out, there are many others here that are a lot more knowledgable about these things than me; I'm sure we can find you an answer.