How to know which process is spamming

[rag_gupta]

My account has been hacked. I've removed the infections. I've disabled nobody to send email and also limited each domain to send max of 50 email/hr. I've check the raw access logs and error log of Apache.
I've checked the exim_mainlog.

I've also gone through this useful thread: http://forums.cpanel.net/f5/server-overloaded-spam-exim-processes-226022.html

But someone is trying to send emails non-stop. All I want to know which process it is. I'm not able to figure this out using ps aux or the top command.

Here are some entries from exim_mainlog:

2013-10-15 12:14:53 1VVyNA-00046a-Rf => usernamehere_ @gmail.com <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
2013-10-15 12:14:53 1VVyNA-00046a-Rf Completed
2013-10-15 12:14:54 1VVw2u-0007oC-6z ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-10-15 12:14:54 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVw2u-0007oC-6z
2013-10-15 12:14:54 1VVyNC-00046u-1T <= <> R=1VVw2u-0007oC-6z U=mailnull P=local S=4230 T="Mail delivery failed: returning message to sender" for [email protected]
2013-10-15 12:14:54 1VVw2u-0007oC-6z Completed
2013-10-15 12:14:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNC-00046u-1T
2013-10-15 12:14:54 1VVyNB-00046h-33 => usernamehere_ @gmail.com <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
2013-10-15 12:14:54 1VVyNB-00046h-33 Completed
2013-10-15 12:14:54 1VVvwR-0002bL-Cn ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-10-15 12:14:54 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVvwR-0002bL-Cn
2013-10-15 12:14:54 1VVyNC-000471-90 <= <> R=1VVvwR-0002bL-Cn U=mailnull P=local S=4206 T="Mail delivery failed: returning message to sender" for [email protected]
2013-10-15 12:14:54 1VVvwR-0002bL-Cn Completed
2013-10-15 12:14:54 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNC-000471-90
2013-10-15 12:14:55 1VVyNC-00046u-1T => usernamehere_ @gmail.com <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
2013-10-15 12:14:55 1VVyNC-00046u-1T Completed
2013-10-15 12:14:55 1VVvwu-000312-4V ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-10-15 12:14:55 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVvwu-000312-4V
2013-10-15 12:14:55 1VVyND-00047E-9S <= <> R=1VVvwu-000312-4V U=mailnull P=local S=4206 T="Mail delivery failed: returning message to sender" for [email protected]
2013-10-15 12:14:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyND-00047E-9S
2013-10-15 12:14:55 1VVvwu-000312-4V Completed
2013-10-15 12:14:55 1VVyNC-000471-90 => usernamehere_ @gmail.com <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
2013-10-15 12:14:55 1VVyNC-000471-90 Completed
2013-10-15 12:14:55 1VVw1R-0006ml-AR ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-10-15 12:14:55 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVw1R-0006ml-AR
2013-10-15 12:14:55 1VVyND-00047N-K9 <= <> R=1VVw1R-0006ml-AR U=mailnull P=local S=4226 T="Mail delivery failed: returning message to sender" for [email protected]
2013-10-15 12:14:55 1VVw1R-0006ml-AR Completed
2013-10-15 12:14:55 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyND-00047N-K9
2013-10-15 12:14:56 1VVyND-00047E-9S => usernamehere_ @gmail.com <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
2013-10-15 12:14:56 1VVyND-00047E-9S Completed
2013-10-15 12:14:56 1VVw3u-00007y-Dt ** usernamehere_ @hotmail.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-10-15 12:14:56 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVw3u-00007y-Dt
2013-10-15 12:14:56 1VVyND-00047N-K9 => usernamehere_ @gmail.com <[email protected]> R=dkim_lookuphost T=dkim_remote_smtp H=gmail-smtp-in.l.google.com [173.194.xx.xxx] X=TLSv1:RC4-SHA:128
2013-10-15 12:14:56 1VVyND-00047N-K9 Completed
2013-10-15 12:14:56 1VVvsR-00079x-5Z ** usernamehere_ @yahoo.com R=enforce_mail_permissions: Mail sent by user nobody being discarded due to sender restrictions in WHM->Tweak Settings
2013-10-15 12:14:56 1VVyNE-00047Z-Qq <= <> R=1VVw3u-00007y-Dt U=mailnull P=local S=4214 T="Mail delivery failed: returning message to sender" for [email protected]
2013-10-15 12:14:57 1VVw3u-00007y-Dt Completed
2013-10-15 12:14:57 cwd=/var/spool/exim 7 args: /usr/sbin/exim -t -oem -oi -f <> -E1VVvsR-00079x-5Z
2013-10-15 12:14:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNE-00047Z-Qq
2013-10-15 12:14:57 1VVyNF-00047d-1y <= <> R=1VVvsR-00079x-5Z U=mailnull P=local S=4226 T="Mail delivery failed: returning message to sender" for [email protected]
2013-10-15 12:14:57 1VVvsR-00079x-5Z Completed
2013-10-15 12:14:57 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1VVyNF-00047d-1y

 

[cPanelMichael]

Hello

You can browse to the "Mail" tab in "WHM Home » Service Configuration » Exim Configuration Manager" and check to ensure the following option is enabled:

"Query Apache server status to determine the sender of email sent from processes running as nobody"

Also, have you considered enabling suPHP so that the account username is used for email coming from PHP scripts?

Thank you.