Send spam email with rdns server domain

[Nadermoradi]

Hello everyone
I have a strange problem.
Spam email is sent from my server, I closed all email ports in csf, but email was still being sent.
The more I checked, the more I noticed that emails were sent from users with rdns domain servers.
All emails are sent with Local IP (127.0.0.1).
I put the IP in the block list and the emails are rejected, but I want to know how the email is sent. Is the server hacked?
Processes are created from mailnull. No email will be sent when I stop this processing.

ps -aux |grep 'mailnull'
mailnull 1791867  1.2  0.0  84012  6312 ?        Ss   12:59   0:11 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2053018  0.0  0.0  86800  9764 ?        S    13:13   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2060185  0.0  0.0  84484  5984 ?        S    13:13   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2066604  0.0  0.0  87356  5984 ?        S    13:13   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid
mailnull 2067195  0.0  0.0  87356  5984 ?        S    13:14   0:00 /usr/sbin/exim -ps -bd -q15m -oP /var/spool/exim/exim-daemon.pid

 

[cPRex]

Hey there! The best thing to do would be to scan the mail logs to see where the messages were being sent from. The following command will search the logs and let you know directories mail has been sent from. Just be sure to ignore system notification directories like /etc/csf when checking this output:

grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n

Can you try that and see if that gets you more useful details?

 

[Nadermoradi]

Thank you for your answer
But spam emails are not visible here.
Emails are sent through another. Which does not exist in this log.