Exim sending spam as relay authenticated by deleted account?

My server has been sending spam this morning and I'm stumped as to where it's coming from. Log entries' look like this

Code:

2014-04-21 12:53:03 1WcIOs-00006Q-Hl <= senderaddress@aol.com H=(foo.com) [190.18.xx.xx]:2578 P=esmtpa A=dovecot_plainlduser@foo.com S=5777 T="Fw: News" for otheruser@hotmail.com otheruser@sbcglobal.net otheruser@yahoo.com etc...

olduser@foo.com was an address on an account, but those email addresses have all been moved to outlook.com and deleted from cpanel.

Tried the following:

Changed foo.com password
Restarted Exim
Blocked IP addresses - mail keeps being sent out from new IPs
Reviewed mail headers from queue

I can't understand why it is showing authentication from a removed address? Any thoughts?

Thanks!

 

I verified the email addresses were removed from the cPanel interface. Is there another way to verify the addresses have been deleted?

I sent a test email from the server and the exim log files show it being delivered to outlook.com (1cb6093de6c287409c0b8e7755b434.pamx1.hotmail.com) as it should be.

I fixed the problem by adding the account back in and changing the password. That disabled the spammers access.

Does that account somehow still exist if it has been deleted in the cPanel? There is still old mail in that account now that I have reactivated it. Is there a way to completely delete an email account?

 

The address has been added back in and password reset, so I can't test to see if I can authenticate this email again.

If the A parameter in the Exim log lists the user@foo.com address, doesn't that verify it was working?

A=dovecot_plain:user@foo.com

Spam was being relayed through my server, it popped up on my Spamcop monitor. Spoofing should allow mail to be relayed. After adding the account back in and setting a new password the relaying has stopped. I've had this message in the log files 58 times since then (for a variety of IP addresses).

2014-04-22 17:20:15 dovecot_plain authenticator failed for (foo.com) [78.188.35.189]:4612: 535 Incorrect authentication data (set_id=user@foo.com)

I attempted to login to one of the other old accounts on this domain and was not able to, but I may not have accurate password data. These accounts were all moved off this server over a year ago.