HELP! My Server is being used for spam

[iKHost]

Ok, yestersay I noticed exim cpu usage skyrocketting and many instances of it open. I have looked through the logs and it does not appear that someone is spamming through POP butr through a script. What can I do to identify the script used?
I know the times of actual attacks so I can trace it if this is needed.

Please help, right now I am restarting exim every half hour or so (oh it seems to start every 30 minutes too, where can I check to see what cron jobs my clients have scheduled)

TIA

 

[dgbaker]

Look in /var/spool/exim/input and msglog.

grep for users

in input look at the group that owns the files.

That's a start.

 

[iKHost]

IP?

I have an IP, how can I check to see if any of my clients have logged in using that IP? I already checked /etc/httpd/logs/access_log

 

[dgbaker]

check through /var/log/

mainly look at messages and secure.

 

[iKHost]

nothing..

nothing there about that IP, is it possible one of my clients is using a mailing list to do this? How can I shut off lists?

 

[sac-host]

how do you restrict smtp to authenticate???

 

[Website Rob]

/var/spool/exim/input and msglog

These two directories show no files at all on my Server -- is that correct? Seems there should be something in there.

 

[dgbaker]

The only time there would anything in there is when there is incoming/outgoing mail in the queue.