Under Tweak Settings, you may have stumbled across the option to disable the following “Prevent the user “nobody” from sending out mail to remote addresses (PHP and CGI scripts generally run as nobody if you are not using PHPSuexec and Suexec respectively.)” However, if you would rather pinpoint users that are sending mail through root@host.domain.com, then you can setup EXIM to log any outgoing attempts made so you can resolve it issue by issue.

To do so you will need to go to WHM > Server Configuration > EXIM Configuration and then go to “Advanced Options.” In the first field you will add the following and then save:

log_selector = +address_rewrite +all_parents +arguments +connection_reject +delay_delivery +delivery_size +dnslist_defer +incoming_interface +incoming_port +lost_incoming_connection +queue_run +received_sender +received_recipients +retry_defer +sender_on_delivery +size_reject +skip_delivery +smtp_confirmation +smtp_connection +smtp_protocol_error +smtp_syntax_error +subject

Once you’ve saved that to access the EXIM logs for nobody senders you can go into SSH and use the following command:
grep cwd=/home /var/log/exim_mainlog

That command you will you the path for every user that is sending mail via sendmail through exim. While it will not give you the filename, you will have the username and directory name. From there you can resolve the issue.