Just a heads up, I suddenly had a mad rush of emails being sent from my dedicated server (I had a warning from my server) After digging into it and scanning lots of headers i narrowed it down to some rogue files.
a modified include.php in the wordpress root
a new file in the root called _empix.php (do not download this its a virus) it has the look of a gif if examined in an editor.
a file called bla.php has some base 64 and a gmail account listed in it.
a new/modified file called amd.php with the same date timestamp as the above files.
What it does is use the root / hosts admin email address to use to send or just the host (cpanel account) username example firstname.lastname@example.org to send emails.
I suggest doing a manual check, this one bypassed the security on server, wordpress security and wordfence didnt even pick it up.
Hope this helps someone else.