Indeed, just today something similar (or at least similarly strange) occurred, this time with a server using the Courier email system. Here are the details of anyone is interested:
We were alerted that spam was being broadcast from one of our hosting accounts. In this case the spammer was using an addon domain.
What's usual about this, is the we were NOT able to easily stop the outflow of spam simply by changing the effect account's password, which has always been the case. After the password change, the spammer was still able to log into the account to send spam messages.
Then I tried changing the main cPanel account password. Still no good, the spammer was still able to broadcast through this same, aforementioned email account.
Then I removed the email account in question. Still no good, the spammer was STILL able to perform courier logins (using the email account user ID for the account I just removed) to broadcast spam.
Then I unparked the addon domain in question, and AMAZINGLY the spammer was still able to log in to broadcast spam using the same email account ID.
The only thing that stopped the broadcast of spam was either doing a full restart of the exim system via WHM ("service exim stop" was not working via shell). Or for the fact that we finally blocked the incoming IP address that was logging in to send spam. I do not know because we performed both of these actions at the same time. I also inserted the effected email address/login in antivirus.exim so as to block the continuous outflow of spam.
We never had to go to this extent before to block spam from an obviously compromised email account. Before we had to do was access the effected email account via cPanel, then change the password, without having to restart exim, or block any incoming IPs, and this would be enough to start seeing failed logins in /var/log/exim_mainlog but not these days.
Before the recent, significant cPanel update, we were always just able to simply change the compromised email account's password, and then the spam would stop. But now, there are all of these steps that we obviously must also do. I'm still trying to figure out how the spammer was still able to broadcast spam, even after the effected email account was removed. I have a theory that because the spammer in this case was originating from a single IP address, that somehow he stayed connected to exim, with the same email sending credential, even after the account was removed.
Also, for the first time in nearly a decade of using cPanel servers, recently we are now seeing spam sent from logins to the primary email account, as well as spam sent from non-existent email addresses/accounts.
No complaints, but several hours ago we started a ticket opened at cPanel.net for this most recent incident, so far, no response:
The other ticket opened yesterday, has been responded to, but unfortunately we have yet to receive a response addressing the very unusual nature of the issue which is the fact that logins were occurring to non-existent email IDs:
This is a very concerning issue for us.