Who is sending spam?

[homeprimax]

We have one strange account, that sends a lot of spam messages. But we unable to find out how they perform this. Look at return message:

Return-path: <[email protected]>
Received: from dym by xxx.com with local (Exim 4.80.1)
        (envelope-from <[email protected]>)
        id 1VdN4J-0007cB-3B
        for [email protected]; Mon, 04 Nov 2013 11:31:59 -0500
From: =?UTF-8?B?S2F0aHJpbmUgRGl2ZXJz?= <[email protected]>
To: [email protected]
Subject: =?UTF-8?B?WW91IGdvdCBhIFBFUlNPTkFMIE1FU1NBR0UgZnJvbSBLYXRocmluZSBEaXZlcnM=?=
MIME-Version: 1.0
Content-Type: multipart/related;
        boundary="=_3ca0c6251c04e46c9c7c4c82365d7e44"
Message-Id: <[email protected]>
Sender:  <[email protected]>
Date: Mon, 04 Nov 2013 11:31:59 -0500

As you see user "dym" is sending spam. But this user does not have Shell Access, no jobs in crontab, no suspicious scripts in account.
To avoid problems with IP blacklisting, I've set "Maximum Hourly Email by Domain Relayed" to 2. So we have about 2gb messages per day returned to main email account. But this is not good solution... Need help!

 

[cPanelMichael]

Hello

Have you tried changing the password for the account to see if the messages continue? Have you reviewed the /var/log/exim_mainlog file to get a better idea of what types of messages are sent out? The following document may also be helpful:

cPanel - Prevent Email Abuse

Thank you.