Hi at all,
in those days spammers broke smtp authentication and they're sending a lot of spam from my mail server.
At first I notice a lot of auth of user admin:
zimbra.log
Code:
Apr 27 18:11:22 lnxgateda saslauthd[31646]: zmauth: authenticating against elected url 'https://mail.ciebspa.it:7071/service/admin/soap/' ...
Apr 27 18:11:22 lnxgateda saslauthd[31646]: zmpost: url='https://mail.xxxxxxxxxx.it:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="3403"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_f314449532eabd3a7b5c3266e7f1d9b618e0e30a_69643d33363a66613861303534392d306338652d343163302d626463632d3765303536623034613932633b6578703d31333a313330343039333438323531333b76763d313a303b747970653d363a7a696d6272613b</authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Apr 27 18:11:22 lnxgateda saslauthd[31646]: auth_zimbra: admin auth OK
Apr 27 18:11:23 lnxgateda postfix/smtpd[30107]: 080E429CC0E7: client=unknown[216.24.204.190], sasl_method=LOGIN, sasl_username=admin
Apr 27 18:11:32 lnxgateda postfix/cleanup[30185]: 080E429CC0E7: message-id=<20110427161123.080E429CC0E7@mail.xxxxxxxxx.it>
Apr 27 18:11:32 lnxgateda postfix/qmgr[7941]: 080E429CC0E7: from=<ememebercenter@ups.com>, size=6681, nrcpt=50 (queue active)
Apr 27 18:11:32 lnxgateda postfix/smtpd[30107]: disconnect from unknown[216.24.204.190]
Apr 27 18:11:32 lnxgateda amavis[32032]: (32032-01) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20110427T181132-32032: <ememebercenter@ups.com> -> <ljhill@aol.com>,<ljjjmarc@aol.com>,<ljlazard@aol.com>,<ljludy@aol.com>,<ljm0127@aol.com>,<ljmbsmlegal@aol.com>,<ljohnkj@aol.com>,<ljones1945@aol.com>,<ljonesdenise@aol.com>,<ljperez75@aol.com>,<ljrcwells@aol.com>,<ljs385@aol.com>,<ljones@boyshaven.org>,<ljhollenbeck@charter.net>,<ljr225@charter.net>,<ljhaley764@comcast.net>,<ljohn10557@comcast.net>,<ljmasil@cox.net>,<ljley@cs.com>,<ljschultz@dslextreme.com>,<ljoe19421@earthlink.com>,<ljkanofsky@gmail.com>,<ljnelson1989@gmail.com>,<ljpatron@gmail.com>,<ljkelly@granbury.com>,<ljgardner7@hotmail.com>,<ljl7joy@hotmail.com>,<ljlove21@hotmail.com>,<ljs510769@hotmail.com>,<ljs_designs@hotmail.com>,<ljredder@juno.com>,<l-j-scott@live.com>,<ljoesten@live.com>,<ljn0913@msn.com>,<ljohnson3@myway.com>,<ljmj@sumnet.tv>,<ljfuson71@yahoo.com>,<ljinjax@yahoo.com>,<ljlaa5@yahoo.com>,<ljmoore82@yahoo.com>,<ljnic22@yahoo....
So I changed the password, but they still " auth_zimbra: admin auth OK", so I deleted all the session of user admin (account-->right click on admin---> delete session) but they still send mail.
So I created other user, I gived it admin priviledges and I blocked old user admin.

How can I block this situation from the source?
Zimbra vers:
Release 7.0.1_GA_3105.RHEL5_64_20110304210645 CentOS5_64 FOSS edition.


Thank's at all!