I could answer your questions very well, but your first sentence is not clear to me at all - "sending mails from my webmail" is not what you needed to say, because that must be you sending mail. "actually multiple e-mail accounts doing this" confuses the hell out of me.
"been deleting this manually from the Exim queue" - that can be solved by rate-limiting - a feature of Exim. With rate-limiting, there is no way anyone/anything can beat you to the game. Anyway, once you rephrase that first part of your question, I will give you a sure solution!

On the second part, you say you need to "identify which user in my network this (these?) mails are amanating from". Here is how to do it:

First, impose a mandatory delay of N minutes on all e-mails hitting your server. You do this by inserting the following router as the very first router (just below the "begin routers" clause):

delay_outgoing:
   driver = redirect
   senders = ! : ! lsearch;/etc/exim/vip_senders
   condition = ${if < {$message_age}{600}{yes}{no}}
   allow_defer
   data = :defer: message not old enough
   no_verify
 
Create the file /etc/exim/vip_senders and inside it, put , one per line, addresses of those senders whose e-mails you don't want to delay (unless you want to lose your job!). Anyone whose address does NOT appear in that file will have their e-mails delayed for 10 minutes (600 seconds). However, bounces (from the null sender) will still be processed. This gives you the opportunity to go through the e-mails on the queue and find out who is sending them.

Please restart Exim after adding that router.

In no time, your queue will be full. Look at the queue using the command `exim -bp | less` . You will be able to identify mails with almost same characteristic - like same sender address. Here is an example with obfuscated data:

65h   15K 1SWrhD-0009EB-3s <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

65h  4.9K 1SWrwe-000BAx-6w <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

50h   19K 1SX5zE-0003vq-HD <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

27h  3.4K 1SXR3Y-000IT3-KL <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

25h   16K 1SXSxP-000Pip-30 <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

23h   12K 1SXV7f-0007fB-Gk <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

23h  5.6K 1SXVQ3-0009d6-I9 <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

21h  6.5K 1SXXAn-000GGo-KL <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

19h  7.5K 1SXYID-000Kr2-3d <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

14h  7.7K 1SXdPi-000C5R-Hy <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name

14h   16K 1SXdbd-000Def-C5 <list-bounces+johndoe=somedomain.name@mylists.name>
          johndoe@somedomain.name


In these examples, the part inside the < > is the sender address. I am sure you know what a Message-ID is already. So if the sender address is not abvious, then try and look at the headers of these e-mails to figure out which host is sending them:

exim -Mvh Message-ID | less (i.e. exim -Mvh 1SXdPi-000C5R-Hy | less)

I am insisting on piping to less because some headers can be too long.

That way you will see the full details about this particular message. You can then take the necessary action.

I hope your server is not an Open Relay, being used by spammers!


I hope that helps.

You are welcome to seek further help.