Top items to check:
1) Make sure "SMTP Tweak" is enabled in WHM.
This SMTP tweak will prevent users from bypassing the mail server to send mail (This is a common practice used by spammers). It will only allow the MTA (mail transport agent), mailman, and root to connect to remote SMTP servers.
2) Make sure "Sender Verification" is checked in "Exim Configuration Manager" within WHM. "Sender Verification Callouts" is helpful as well, but is applicable more to receiving spam.
3) From ssh run netstat -naop | less
Look for any suspicious processes with dest port 25 - this should also list PID and full path of process (look for suspicious paths/binary filenames as well)
4) Install and run rkhunter & chkrootkit to look for potentially malicious scripts or replaced binaries (clamav would also be good idea if you haven't already installed the plugin through WHM)
5) Secure /tmp (search WHT there are numerous posts on this)
6) Make sure any web applications such as CMS's/blogs etc (Joomla esp) are updated to their latest versions.
The following two resources are excellent and detail using the exim log and other techniques to track down the account that is sending the spam and other measures on how to stop spam:
http://timelordz.com/wiki/index.php/..._Down_Spammers
http://www.configserver.com/free/spammers.html
The following is especially important to add extended logging to /var/log/exim_mainlog:
In WHM > Exim Configuration Editor > Switch to Advanced Mode > in the first textbox add the following line and then Save:
log_selector = +arguments +subject
Hope some of this helps and good luck!
Linear Mode
