If you’re seeing outgoing spam from nobody@your.hostname.tld, you can track it down fairly easily.
In WHM, go to Exim Configuration Editor, then select Advanced Editor. In the first field, paste in:
log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject
You will then see extended logging in /var/log/exim_mainlog. You can simply run
grep cwd=/home /var/log/exim_mainlog
and that will show you the path for any user that is sending email via sendmail through exim. It won’t give you the filename, but at least you’ll have the user/folder name, and you can look through the scripts from there.
