The fact that the logs are showing it coming from ww-data@<servername> suggests that it could be coming from your web server, or at least the web server user which could mean someone hijacking a process owned by that user. As you mention a forum, it is also possible that you have content that contains the code to send messages. This is a common trick. The first thing to check would be to see if the versions of software your running on your system have known vulnerabilities that could explain this.
Following that, your idea to try to track down the process is the way to go. However, this can be a little bit tricky, especially if your log files are not showing the process / user. Part of the problem will be to capture it happening as almost all of the tools used will give you static snapshots. You could try something like the following (borrowing from one of unSpawns posts
( \ps axfwwwe 2>&1; lsof -Pwln 2>&1; \ls -al /var/spool/cron 2>&1; netstat -anpe 2>&1; lastlog 2>&1; last 2>&1; who -a 2>&1 ) > /path/to/data.txt
This will concatenate the process tree into a file called data.txt and should show if you have any rogue processes running.
The next level up the difficulty chain would be to try to use a program like iftop, tcpdump to capture traffic on your local loopback interface and see what you can find making use of port 25. You could also try shutting down a service, like your web server, to see if it stops.
However, given that your logs are showing the user being www-data and that you are running a user content forum system, I would start looking through the post content.