The increasing size of the Exim queue size is indeed alarming. This would make me think that there is “something” that sends out emails (or trying to send). Thoroughly check that the emails in the queue are legit. If they’re not, flush the queue. This may help you: Exim Cheatsheet
Disabling php mail() function is a good thought. But you might also consider logging what is going on with that function, to have a better insight. Please consider the following code snippet I use to keep track of the mail() function:
# Log all calls of PHP mail() function to track spam abuse
# This configuration assumes that php-fpm is in use
touch /var/log/phpmail.log
chown admin:hestia-users /var/log/phpmail.log # Need to set owner/group so all users can write to file
chmod 660 /var/log/phpmail.log
sed -i 's:;mail.log = syslog:mail.log = \/var\/log\/phpmail.log:' /etc/php/*/fpm/php.ini
sed -i 's:mail.add_x_header = Off:mail.add_x_header = On:' /etc/php/*/fpm/php.ini
systemctl restart php*-fpm.service apache2.service
This will log all mail() calls in /var/log/phpmail.log, so you’ll be able to check what is going on.
Another suggestion that comes to my mind is to make use of the IP Lists (Settings > Firewall > Manage IP lists > Add IP list > Data souce = Block malicious).
Do have a look at this as well: Max CPU/RAM and ClamAV disabled - #6 by Felix