Solved a similar problem.
Change sendmail_path to this:

#!/usr/bin/php
<?php
date_default_timezone_set('Europe/Moscow');
$dir='/var/www/system/htdocs/mail/list/';
$input = file_get_contents('php://stdin');
preg_match('|^To: (.*)|', $input, $matches);
if ($matches[1]){
$d=preg_replace('/[^a-z\[email protected]\.-]+/','',$matches[1]);
$d=str_replace('@','_',$d);
} else $d='undef';
if (!is_dir($dir.$d)){
  mkdir($dir.$d,0770);
}
$input=explode("\n\n",$input,2);
$input[0].="\nX-PM-Origin:".getenv('PWD');
$input=implode("\n\n",$input);

$fn=date('Y-m-d.His_').'rand'.rand(1111,9999).'.txt';

file_put_contents($dir.$d.'/'.$fn, $input);

In my example, the script only logs the sent email. To get mail going, you need to add a received header and put the file in the sendmail queue folder; Well, log getenv('PWD');
Then addressfully write n ** people on this very getenv ('PWD')
Alternatively, it is advisable to replace sendmail with exim, it can write pwd to the log (unfortunately, I could not quickly find how to do this)..

Hospadi. Well, they advised)
On the example of Exim:
while :; do cat /var/spool/exim4/input/*-H | grep X-PHP-Originating-Script: | sort | uniq; done
after a while, the name of the scripts and the lines from which the letters are sent are warmed up.
Then find /home -iname script.php - find where this script is. Well, then we demolish and think how he could get there.
Of course, mail.add_x_header must be enabled in php ini (usually enabled by default).
If this does not work, then you can include this:
; The path to a log file that will log all mail() calls. Log entries include
;mail.log =
(in debian wheezy - /etc/php5/apache2/php.ini , line 979).
And parse the log to find the script.

The client constantly broke WP. When once again I got sick of looking at the mail log (mail.add_x_header, mail.log ) I drove the site under git. Now, at the slightest suspicion, git status immediately shows where the malware has registered. The method shows itself well if the site files do not change very often.

As an option, override the mail function in PHP so that it logs the name of the site and the subject of the letter.
How to find out which site sends - find out from which page and what request and look for the vulnerability already there.

You can start with BurpSuite or w3af vulnerability scanner .

Change all passwords, remove unused system users, cut extra rights.
Compare information in emails (sending time) with mail and http logs, calculate the page being accessed. If there is none, then some script is already sitting on the server and doing harm.
Check open ports, list of running processes, kill everything superfluous, set up a firewall.

In php it is easy to turn on (one line in php.ini) logging of sending emails there you will see which script exactly sends well and already dig from it

Recently faced the same problem. Through which I did not find the hack, but I cleaned everything with the help of this script - www.revisium.com/ai/. finds web shells, etc.