Apache - php - email hack

[tnats@]

One of my customers is somehow being hacked but we can't figure it out. Somehow someone is injecting 1000s of emails into qmail.

In the apache error log, I keep seeing this but it doesn't provide an IP address:
sh: /uname: No such file or directory
sh: /echo: No such file or directory
sh: /id: No such file or directory
sh: /cd: No such file or directory
sh: /cd: No such file or directory

More fun stuff:
qmail-inject: fatal: unable to parse this line:
bcc: noragoolsby@aol.com,chiste5@aol.com,donaldshabazz@aol.com,^M
lr112697@aol.com,bagcatfish@aol.com,andramira@aol.com,^M
timmythetermite@aol.com,tomfunker@aol.com,giti522n@aol.com,^M
oginoyone@aol.com,pcvenokur@aol.com,magoowo7@aol.com,^M
luv2hug511@aol.com,slsc21@aol.com,dayates632@aol.com,^M
thedollardiva@aol.com,robinsonesq@aol.com,davjonpaul@aol.com,^M
hjbebe@aol.com,mbeaud44@avalue="likelihood inurl:
sh: /uname: No such file or directory
sh: /id: No such file or directory
sh: /echo: No such file or directory
[Sun Feb 18 10:58:03 2007] [error] server reached MaxClients setting, consider raising the MaxClients setting
[Sun Feb 18 13:42:44 2007] [error] [client 71.212.177.30] File does not exist: /usr/share/psa-horde/favicon.ico
sh: /uname: No such file or directory
sh: /echo: No such file or directory
sh: /id: No such file or directory
sh: /cd: No such file or directory


The 71. IP address is a legit customer.

Can anyone help me here?

Thanks,
Tom