Sometimes, hackers like to upload malicious script inside compromised website to sending out spam. On Cpanel you can check and identify where the spam script is located using the below command.
grep cwd /var/log/exim_mainlog | grep -v /var/spool | awk -F"cwd=" '{print $2}' | awk '{print $1}' | sort | uniq -c | sort -n
To clear out exim queue, simply run
exim -bp | grep frozen | awk {'print $3'} | xargs exim -Mrm