It's happening right now, to my account, and so far we've not been able to stop it. We've restarted Zimbra, changed passwords, etc...
Sep 26 18:53:20 mail postfix/smtpd: connect from unknown[126.96.36.199]
Sep 26 18:53:21 mail postfix/smtpd: 18E3E40BE420: client=60-249-165-131.HINET-IP.hinet.net[188.8.131.52], sasl_method=LOGIN, firstname.lastname@example.org
Sep 26 18:53:21 mail postfix/cleanup: 18E3E40BE420: message-id=<OUTLOOK-IDM-80b74662-f4a0-a9ec-afee-d89553defab1@trml-1>
Active Directory authentication, Zimbra zcs-NETWORK-7.1.1_GA_3196.RHEL5_64.20110527001604, CentOS 5.8 x86_64.
Suggestions? What should we look for? They're connecting in and apparently auth'ing as me and then sending out tons of SPAM. I'm getting tons of bounce messages back. We've not been blacklisted anywhere yet but I figure that's next. We've confirmed from some of the headers in the bounced emails that the spam is originating here, not some other open relay with my address as the from:
PS. OS was not fully updated, "yum update" is upgrading cyrus-sasl from 2.1.22-5 to 2.1.22-7 now. Not sure if related or not...