How To Disable AuthRelay in Exim to block Spammers

[BlackRain]

Server Setup: cPanel 11.25.0-C42399 - WHM 11.25.0 - X 3.9, CENTOS 5.4, PHP 5.3.1, Exim 4.69-23.1, CSF Firewall, Mailscanner/MSFE.

Problem: Spammers are finding a way to AUTH RELAY spam with BCC multiple recipients through our server on domains that have no email accounts.

Example of spammer attempt:

2010-01-08 13:32:28 [23527] 1NTOJg-00067T-FN <= SPAMMER@hotmail.com H=host.SPAMMER.net ([10.97.XX.XXX]) [SPAMMERIPADDRESS]:38538 I=[OURIPADDRESS]:25 P=esmtpa A=fixed_login:user S=3893 id=20100108233235.14254@ld.che.vodafone T="Your Response is Needed" from <spammer@hotmail.com> for XXXX@live.co.uk YYYY@yahoo.com ZZZZ@yahoo.ca PPPP@yahoo.com

Note the fixed_login part. We have NO email accounts on this domain. How could it be a fixed log in?

Fixes used : Enabled most Exim security options via Cpanel/WHM. Changed domain passwords. We added log_selector = +all and host_lookup = 0.0.0.0/0 to the exim.conf. SPF, rDNS, Domainkeys installed. Tested our IP's at abuse.net to make sure we were not an open relay.

Reviewed logs to make sure no one but our IP has logged into the server, Cpanel, or domains.

The only way we can block these attempts currently is to rate limit AUTH RELAY in CSF Firewall to "0".

I know that standard line is that Exim is not setup to relay mail by default but spammers have figured out a way.

Any ideas?