eval()
is a very dangerous little language construct in that it can execute practically any piece of PHP code passed to it as a string, so it certainly could be that script sending the mail, although sending out spam is actually fairly non-destructive as far as what eval()
could do.
If your page had the permissions to delete every file in your web root, eval()
would also be able to do it too, just by someone sending the right command to the script via POST.
If you really want to ensure it is that piece of code sending out the mail, put it back but modify it to your advantage. Stop it from using eval()
and instead save the POST data to a database or text file. It is the only way you will know exactly what this code is being used for.