Hosting company cPanel servers are a bit of a special case though. I've run these before and once customers start installing WordPress it can be a matter of hours before a bad plugin gets turned into a spam bot. It's at a point where blocking port 25 outbound is a responsibility imo.
WordPress contact forms are routinely abused - I regularly see forms where enter a victim as "my address" and then it helpfully copies the message to the spam recipient. There's always a web designer who wants it this way for UX reasons, even when I shown how it's abused.
Yep, contact forms in WordPress but even non WordPress sites too. Then of course if you got a plugin to detect brute forces, seem like WordPress sites get ton of them! Probably because you can detect if a site runs WordPress or not, so bots use that.
Sounds like the only solution to contact form spam might be rate limiting and/or captchas but even bots can bypass captchas too unless you use one like Google reCaptcha maybe but sucks your system has to rely on third party services then.
WordPress contact forms are routinely abused - I regularly see forms where enter a victim as "my address" and then it helpfully copies the message to the spam recipient. There's always a web designer who wants it this way for UX reasons, even when I shown how it's abused.