1000 emails have just been sent

[abrapin]

Hi, sorry in advance if this is not posted in the right place. Over the past 4-5 months I've been getting messages from DirectAdmin on my client's server about possible spammer activity, here's one of them (actual domain is hashed out):

The ##### account has just finished sending 1000 emails.
There could be a spammer, the account could be compromised, or just sending more emails than usual.

After some processing of the /etc/virtual/usage/#####.bytes file, it was found that the highest sender was #####@#####.com, at 1001 emails.

The most common path that the messages were sent from is /home/#####/domains/#####.com/public_html/administrator, at 1001 emails (100%).
The path value may only be of use if it's pointing to that of a User's home directory.
If the path is a system path, it likely means the email was sent through smtp rather than using a script.

This warning was generated because the 1000 email threshold was hit.

================================
Automated Message Generated by DirectAdmin

The hosting company say that the emails were not sent by their sever and that the site has probably been hacked. I've spent days trying to find where the exploit happened but am still lost. Can anyone point me in the right direction? At my wits end! Sorry if I've not provided enough info.

 

[zEitEr]

Hello,

While emails are counted by Directadmin it is possible to trace them in /var/log/exim/mainlog
So read and learn exim's mainlog and I hope you'll find what you are looking for.

Note, I can help you with the issue in terms of a commerce service. So if you need my private assistance, feel free to PM me.

 

[abrapin]

Thanks for your help! Unfortunately I don't have access to the exim log, I'll ask the hosting company if they can check it.