I discover today on a WP install a malicious script who use WP website as relay to send PayPal Phishing and spam. The attacker coming from Romania small local ISPs.
To avoid or be warned about this kind of stuff, simply log your php outgoing mail and check it, you will see easily if the is a mass mailling.
And add a specific sender's domain from your server if you are using virtualhost.
By this 2 trick, you can't block theme immediately, but if you add a robot who check log, you can easily be warned by email of any mass outgoing mail.
I have not found for the moment the back-door entry, but all the malicious scripts was installed in the wp-content dir as hidden files (.file) .
FYI the script is not detected by any security on-line services I tested.
I hope this helps,