I am no expert on MIAB cron jobs but I am sure somebody on this forum can identify them. Anyway. Do close Port 25 and while you are trying to identify the culprit send via relay. If it is a malware script sending via PHP it must exploit port 25 for sure. Sending via relay will eliminate this problem.