I was notified by my ISP that my server was reported for spam and I need to correct the problem or face shutdown. Although I've worked with other MTA in the past, I'm a bit of a Zimbra newb, so I honestly am not sure how to begin tracking down the source of this problem.

I tested to make sure it's not an open relay. I only allow SSL/TLS connections. I checked my trusted networks. From what I gather, I suspect this is a coming from a compromised account, but being new to Zimbra I'm confused on how to read the logs.

I checked my daily mail report, but the top senders seems to include ALL senders, not just user accounts. For example, I took a few that were obvious spam senders and tried to egrep them in the logs, but it didn't give me any indication of which account had sent them. I had the COS set to allow sending from any address (which I've now disabled), so I assume the exploiter has taken advantage of this.

I've tried looking into the audit log, but nothing stands out, probably because I'm not entirely sure what to look for. I see the POP3 authentications, but I'm not entirely clear what to look for in relay authentications.

Can somebody please help me get going?