If the email is still in your server's mail queue, the quickest approach to locate it in the email logs is to retrieve the message's ID, which you can accomplish at WHM > Mail Queue Manager. If you have the full headers for the email, you can also get the message ID from them.
After you've obtained the message ID, use the following command to look for it:
exigrep MESSAGEID /var/log/exim_mainlog*
You will then want to look for one of the following lines:
A=dovecot_login:
A=dovecot_plain:
The email's true sender is the email address following one of those lines. To keep that sender from sending more emails, you should change the password for that email address and the cPanel account's password straight soon.
If you don't see A=dovecot login: in the message's = line or don't have an example message to look into, increasing exim's verbosity is the best approach to figure out where spam is coming from your server. Modify the "log selector" box in WHM's advanced Exim settings area with the following:
log_selector = +all
and then save it. Once you have allowed some time to pass (usually between 6 to 24 hours), you will then want to run the following command:
awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr
It will identify the directories from which the email was sent. You should look for high numbers of user home directories to determine if any mailer/spam scripts are being used in those directories.
T will list directories that email was sent from in which you'd be looking for user home directories with a large number and see if any mailer/spam scripts are being abused in those directories.
