You misunderstood what I was saying in my post. I was trying to explain that a script that was running as your sisters user might have been exploited by a *spammer" (or "cracker, script kiddie, etc), due to a programming error, back-door, etc., to send the spam as her user - not the “script contains spam”. The “script” would not be “counted as spam”, but may have been used by another to send the spam.
This is a relatively common occurrence when “3rd party” scripts are run by those that did not program them to be secure, or do not necessarily understand every weakness or vulnerability in a script they obtained elsewhere.
As the account is suspended, we can’t help you evaluate that by visiting the url in question (it’s no longer reachable because of the suspension), but if you shared the name of the script, the version number, and where the script can be obtained, it may be possible to see if any security advisories or common exploits have been reported for that script.
Again, the beginning of the search for what happened is an carefully examination of your logs and statistics.