Malicious PHP file found on my webserver, need help cleaning and preventing this from happening again [closed]

eval() is a very dangerous little language construct in that it can execute practically any piece of PHP code passed to it as a string, so it certainly could be that script sending the mail, although sending out spam is actually fairly non-destructive as far as what eval() could do.

If your page had the permissions to delete every file in your web root, eval() would also be able to do it too, just by someone sending the right command to the script via POST.

If you really want to ensure it is that piece of code sending out the mail, put it back but modify it to your advantage. Stop it from using eval() and instead save the POST data to a database or text file. It is the only way you will know exactly what this code is being used for.

This php script seems rather too short to do any damage, but what else can be sending out all of that spam mail?

How do you believe this code is too short to demage? It is the worst possible code there with eval()

The eval() language construct is very dangerous because it allows execution of arbitrary PHP code. Its use thus is discouraged. If you have carefully verified that there is no other option than to use this construct, pay special attention not to pass any user provided data into it without properly validating it beforehand.

They can execute any PHP code using that too short code. Eval is EVIL. Do not allow file upload permissions without validation

but what else can be sending out all of that spam mail?

That same very eval code is sending emails. They post email code to it and it in turns executes it and sends out the email