My personal email account (and only mine) on my Zimbra server is being used to send spam. I noticed an issue when I started getting a bunch of bounced messages I never sent. I looked in /var/log/maillog and sure enough I see successful auth for my account from places it should have never been accessed from. I immediately changed my password but a few hours later it started up again. I changed it once again (these are strong passwords!) again the same thing. I've scanned my Zimbra server and all the other systems on my network for rootkits and found none. I allow plain test passwords and don't require TLS because I use a self signed cert and I have users that insist on using Outlook. My account however, I ALWAYS use TLS. My webmail is HTTPS only. I haven't been using any systems that I don't personally own. I can't really see how anyone could easily sniff my passwords.
Besides the password change I've tried several things:
1. Setting up a forwarding email address for my account: This catches all mail to my account and mail I send but NOT any messages the spammers are sending.
2. Setup packet captures on all my Zimbra ports... I see all spammer messages being sent via 587 /w TLS.
3. There have been no attempts to access imap for my account other than from myself.
I'm not sure if it is related or not but this all started 2 days after I upgraded to Zimbra 8.
Release 8.0.0_GA_5434.RHEL6_64_20120907144639 CentOS6_64 FOSS edition.