Domain has exceeded the max emails per hour

Hello,
I am experiencing problem with a specific email address. It sends mass spam mails, CSF notify me:

Show/Hide: Localhost relay info

Code:

Time:  Tue May 22 07:32:25 2018 +0300
Type:  LOCALHOSTRELAY, IPv6 localhost - ::1
Count: 355 emails relayed
Blocked: No

Sample of the first 10 emails:

- Removed -

On mail delivery reports I saw differences between mail send from spam and mail send from user:

User mail:

Code:

Authentication:    dovecot_login
Delivery User:    -remote-
Router:    dkim_lookuphost
Transport:    dkim_remote_smtp

Spam mail:

Code:

Authentication:    dovecot_login
Delivery User:    -system-
Router:    enforce_mail_permissions
Transport:    fail (because domain has exceeded the max emails per hour)

I am wondering:
If this is a normal login (spammer have the email password) or is something else going wrong?
Why delivery user on spam mails is system?
Why router on spam mail is enforce_mail_permissions? (Because domain exceeded the max emails per hours?

 

Code:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Code:

      1 /home/user1/public_html/mail
      1 /home/user2/public_html
      1 /home/user3/public_html/test
      1 /home/user4/public_html/site
      1 /home/user5/public_html
      1 /home/user6/public_html/en
      1 /home/user7/public_html
      1 /home/user8/public_html
      2 /home/user9/public_html
      2 /home/user10/public_html/wp-admin
      7 /home/user11
     15 /root
     25 /home/user12/public_html
    184 /home/user13/public_html
    311 /home/user14/public_html
   2138 /etc/csf
   2265 /

Code:

grep -oP "(?<=A=dovecot_(login|plain):)\S+|(?<= U=)\S+" /var/log/exim_mainlog | sort | uniq -c|awk '{print $2,$1}'|sort -k2n|column -t

Code:

info@domain15.com              60
elen@domain10.com              77
user13                        186
root                          359
user16                        397
user17                        622
mailnull                      965
user15                        95251

user15 owns domain15

 

That's right user15 didn't show up at all in first command

 

Nothing unusual to the report
But the command check 5 days ago? (exim_mainlog was already renamed from that date)

 

According to the ticket:

Code:

I was able to find a number of spamd log entries for localhost connections that were considered spam. Some of them were from user15 who owns domain15:
[00:20:09 hostname root@9656309 /var/log]cPs# grep user15 /root/May24spamassassin
May 24 08:56:05 hostname spamd[10280]: spamd: setuid to user15 succeeded
May 24 08:56:05 hostname spamd[10280]: spamd: checking message <3d1181987f3b43986d6bedf46ae2ef2f@pomagri.com.br> for user15:1011
May 24 08:56:07 hostname spamd[10280]: spamd: identified spam (6.0/5.0) for user15:1011 in 2.3 seconds, 43303 bytes.
May 24 08:56:07 hostname spamd[10280]: spamd: result: Y 6 - DKIM_SIGNED,DKIM_VALID,HTML_MESSAGE,RDNS_NONE,SPF_FAIL scantime=2.3,size=43303,user=user15,uid=1011,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=46106,mid=<3d1181987f3b43986d6bedf46ae2ef2f@pomagri.com.br>,autolearn=no autolearn_force=no,shortcircuit=no
May 24 22:13:10 hostname spamd[29702]: spamd: setuid to user15 succeeded
May 24 22:13:10 hostname spamd[29702]: spamd: checking message <upxuvds81186123.12473752@mail.bestwill.eu> for user15:1011
May 24 22:13:12 hostname spamd[29702]: spamd: identified spam (15.6/5.0) for user15:1011 in 1.5 seconds, 174004 bytes.
May 24 22:13:12 hostname spamd[29702]: spamd: result: Y 15 - HTML_IMAGE_ONLY_16,HTML_IMAGE_RATIO_02,HTML_MESSAGE,HTML_SHORT_LINK_IMG_2,KAM_VERY_BLACK_DBL,MAILING_LIST_MULTI,SPF_PASS,URIBL_BLACK,URIBL_DBL_SPAM scantime=1.5,size=174004,user=user15,uid=1011,required_score=5.0,rhost=localhost.localdomain,raddr=127.0.0.1,rport=57486,mid=<upxuvds81186123.12473752@mail.bestwill.eu>,autolearn=spam autolearn_force=no,shortcircuit=no
=-=

This happen to some other users as well, but nothing at the current maillog.
So I was confused were the problem is located?