From time to time you might find that some scripts have been compromised for a particular user's website (Wordpress, Joomla, etc). To identify the directory from where these scripts are spammming you can run the following command in the terminal: grep cwd /var/log/