The best thing to do to determine where these are being sent fom on your server is to increase exim’s verbosity. Put this in the top box of the advanced exim configuration area of WHM.

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject +tls_cipher +tls_peerdn

Then save it. Allow some time to pass (maybe 6 to 24 hours) and then run the following:

awk '$3 ~ /^cwd/{print $3}' /var/log/exim_mainlog | sort | uniq -c | sed "s|^ *||g" | sort -nr

This will list directories that email was sent from. You’d be looking for user home directories with a large number. If there are no numbers or directories in that listing, it’s possible they are using a raw socket() command to connect to remote MX servers and spam.

Also, you may want to check the queue and see if this is just one message that is being retried in which case you can just deleted it from the queue. This also can be done from WHM using “Mail Queue Manager”.