If you’re seeing outgoing spam from nobody@your.hostname.tld, you can track it down fairly easily.

In WHM, go to Exim Configuration Editor, then select Advanced Editor. In the first field, paste in:


log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject


You will then see extended logging in /var/log/exim_mainlog. You can simply run

grep cwd=/home /var/log/exim_mainlog

and that will show you the path for any user that is sending email via sendmail through exim. It won’t give you the filename, but at least you’ll have the user/folder name, and you can look through the scripts from there.