Ok, I had this problem this morning and found a really quick way to stop it. Was not quick until I learned how to do this.
1. If you see a lot (A LOT) of exim and sendmails in your top process and suspect somebody is sending out mass mail you can do the following:
Note: if you enable phpsuexec is should show in the top process but for the rest of us who do not know it enough to run it it will show as user nobody.
Step 1.
disable exim
chmod 000 /usr/sbin/exim
Step 2.
watch the httpd error logs
tail -f /etc/httpd/logs/error_log
You will start to see a lot of permishion denied errors. It will show what file and what user is causing the spike in your server.
Then goto there directory and look at the file and see what they are doing.
In my case, a user was sending out 50,000 emails.
I suspended his account in WHM, moved all his php scripts to a off-line directory/drive and removed the files from his web site.
Now, once you have determined if the user is spamming or sending out mass mail use your best jugment to determin if you should delete the account or not.
I hope this helps, I spent 4+ hrs working on this until I figured out this quick and dirty way to determin who is causing the problem.
__________________ Turnkey Resellers www.turnkeyresellers.com
Reseller Hosting and PHP Programming
for those of you that use qmail as your mailserver, if you are getting mailbombed. (not spam being sent from ur server, but geting a mailbomb to ur server)
Now that is cool, this might work with exim too as I am pretty possitive if you replace maillog with exim_mainlog you shold be able to apply this practise with cpanel also.
__________________ Turnkey Resellers www.turnkeyresellers.com
Reseller Hosting and PHP Programming
I love seeing tips like these, maybe something can be added to the articles ( www.hostingrefuge.com/articles ) for this?
Think it would be a great idea to help people in the future
Those are damn good ones, cheers guys, save that lot as a text file on yer desktops 
New Post
Old Post
