Spammer has relayed through my server using a forwarder (no real account) as authentication

[GQsm]

An account hit it's email defer limit yesterday so I look at the outbound email and I see a load of email saying it's gone out from a local alias/forwarder (no email account).

Mail report shows

Event:   success
Sender User:   ClientUser
Sender Domain:   clientdomain.com
Sender:   [email protected]
Sent Time:   Oct 31, 2018 12:10:12 PM
Sender Host:   SpammerIP
Sender IP:   SpammerIP
Authentication:   courier_login
Spam Score:   0
Recipient:[email protected]
exim_maillog shows

2018-10-31 13:10:52 1gHqGo-0006LX-TY <= [email protected] H=([SpammerIP]) [SpammerIP]:49169 P=esmtpa A=courier_login:[email protected] S=1493978 T="Goods Order" for [email protected]
2018-10-31 13:10:52 cwd=/var/spool/exim 3 args: /usr/sbin/exim -Mc 1gHqGo-msgID
2018-10-31 13:10:52 1gHqGo-msgID SMTP connection outbound 1540991452 1gHqGo-msgID clientdomain.com [email protected]

Sorry the post is not finished but it won't let me edit it in any shape or form!
I was in the process of removing the exim log lines from 2018-10-31 13:10:57 onwards

It was also meant to end with...

How did they send this mail out? There is no user/password for the account
[email protected] and my server is not an open relay.

 

[cPanelLauren]

Hi @GQsm

Based on the information I have it sounds like a PHP script on the account was compromised, in most cases stems from a vulnerable plugin/theme/component that is added to a CMS installation on the account. To resolve this you'd need to identify the source of the compromise and remove any illegitimate files/modifications to the files. A malware scanner should get you on the right track, there's many to choose from but we do offer ClamAV in WHM Configure ClamAV Scanner - Version 74 Documentation - cPanel Documentation