Dear Guys,

Recently I am experiencing an issue with my ZIMBRA. "Someone" from outside using random "PUBLIC IP" enter & successfully authenticate itself into
my ZIMBRA and started to send spam mails through this username: "whchoy" ( as shown in the below quote ) I am not able to determine where this attacker is from. This username "whchoy" is valid in our database. Not sure if this was sent via a "BOT". Are there anyway which I am able to block or prevent such incident from happening. Even as I type now, the attack is still ongoing....Hope to hear from you guys soon. Appreciate your much assistance. Thank you.

Oct 31 13:52:35 mail postfix/smtpd[13404]: connect from unknown[113.19.211.114]
Oct 31 13:52:37 mail saslauthd[5142]: zmauth: authenticating against elected url 'https://mail.abc.com.my:7071/service/admin/soap/' ...
Oct 31 13:52:37 mail saslauthd[5142]: zmpost: url='https://mail.abc.com.my:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="68491"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_3b538077459 5f92d005b24c10d8faafd1187ff1a_69643d33363a31313735 653533622d343139342d343235662d626633302d6665366265 323235663731333b6578703d31333a31333531383335353537 3530333b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172799999</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Oct 31 13:52:37 mail saslauthd[5142]: auth_zimbra: whchoy auth OK
Oct 31 13:52:38 mail postfix/smtpd[13404]: D1E374B8368: client=unknown[113.19.211.114], sasl_method=LOGIN, sasl_username=whchoy
Oct 31 13:52:39 mail postfix/cleanup[15735]: D1E374B8368: message-id=<20121031055238.D1E374B8368@mail.abc.com.my>
Oct 31 13:52:39 mail postfix/qmgr[12130]: D1E374B8368: from=<whchoy@abc.com.my>, size=619, nrcpt=1 (queue active)
Oct 31 13:52:39 mail amavis[15816]: (15816-02) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121031T135156-15816: <whchoy@abc.com.my> -> <chb3@frontiernet.net> SIZE=619 Received: from mail.abc.com.my ([127.0.0.1]) by localhost (mail.abc.com.my [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <chb3@frontiernet.net>; Wed, 31 Oct 2012 13:52:39 +0800 (MYT)
Oct 31 13:52:39 mail amavis[15816]: (15816-02) Checking: Yai3feXlb3nM [113.19.211.114] <whchoy@abc.com.my> -> <chb3@frontiernet.net>
Oct 31 13:52:39 mail amavis[15816]: (15816-02) Open relay? Nonlocal recips but not originating: chb3@frontiernet.net
Oct 31 13:52:40 mail postfix/smtpd[13404]: disconnect from unknown[113.19.211.114]
Oct 31 13:52:40 mail postfix/smtpd[14544]: 8FE4F4B8516: client=localhost.localdomain[127.0.0.1]
Oct 31 13:52:40 mail postfix/cleanup[14243]: 8FE4F4B8516: message-id=<20121031055238.D1E374B8368@mail.abc.com.my>
Oct 31 13:52:40 mail opendkim[2952]: 8FE4F4B8516: DKIM-Signature header added (s=default, d=abc.com.my)
Oct 31 13:52:40 mail postfix/smtpd[14544]: disconnect from localhost.localdomain[127.0.0.1]
Oct 31 13:52:40 mail postfix/qmgr[12130]: 8FE4F4B8516: from=<whchoy@abc.com.my>, size=1098, nrcpt=1 (queue active)
Oct 31 13:52:40 mail amavis[15816]: (15816-02) FWD via SMTP: <whchoy@abc.com.my> -> <chb3@frontiernet.net>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FE4F4B8516
Oct 31 13:52:40 mail amavis[15816]: (15816-02) Passed CLEAN, [113.19.211.114] [113.19.211.114] <whchoy@abc.com.my> -> <chb3@frontiernet.net>, Message-ID: <20121031055238.D1E374B8368@mail.abc.com.my>, mail_id: Yai3feXlb3nM, Hits: -4.358, size: 619, queued_as: 8FE4F4B8516, 855 ms
Oct 31 13:52:40 mail postfix/smtp[15709]: D1E374B8368: to=<chb3@frontiernet.net>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.2, delays=1.4/0/0/0.85, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 8FE4F4B8516)
Oct 31 13:52:40 mail postfix/qmgr[12130]: D1E374B8368: removed
Oct 31 13:52:42 mail postfix/smtp[15341]: 8FE4F4B8516: to=<chb3@frontiernet.net>, relay=mx.frontiernet.net[66.133.129.79]:25, delay=1.7, delays=0.05/0/0.92/0.78, dsn=5.0.0, status=bounced (host mx.frontiernet.net[66.133.129.79] said: 550 #5.7.1 Your access to submit messages to this e-mail system has been rejected. (in reply to RCPT TO command))
Oct 31 14:12:41 mail postfix/smtpd[10017]: connect from unknown[183.80.108.114]
Oct 31 14:12:43 mail saslauthd[5142]: zmauth: authenticating against elected url 'https://mail.abc.com.my:7071/service/admin/soap/' ...
Oct 31 14:12:43 mail saslauthd[5142]: zmpost: url='https://mail.abc.com.my:7071/service/admin/soap/' returned buffer->data='<soap:Envelope xmlns:soap="http://www.w3.org/2003/05/soap-envelope"><soap:Header><context xmlns="urn:zimbra"><change token="68588"/></context></soap:Header><soap:Body><AuthResponse xmlns="urn:zimbraAccount"><authToken>0_2b3428fecfe d821040d64603beadf57d79915ccd_69643d33363a31313735 653533622d343139342d343235662d626633302d6665366265 323235663731333b6578703d31333a31333531383336373633 3833363b76763d313a333b747970653d363a7a696d6272613b </authToken><lifetime>172800000</lifetime><skin>carbon</skin></AuthResponse></soap:Body></soap:Envelope>', hti->error=''
Oct 31 14:12:43 mail saslauthd[5142]: auth_zimbra: whchoy auth OK
Oct 31 14:12:45 mail postfix/smtpd[10017]: 68D584B8526: client=unknown[183.80.108.114], sasl_method=LOGIN, sasl_username=whchoy
Oct 31 14:12:46 mail postfix/cleanup[24289]: 68D584B8526: message-id=<20121031061245.68D584B8526@mail.abc.com.my>
Oct 31 14:12:46 mail postfix/qmgr[12130]: 68D584B8526: from=<whchoy@abc.com.my>, size=898, nrcpt=1 (queue active)
Oct 31 14:12:46 mail amavis[26166]: (26166-04) ESMTP::10024 /opt/zimbra/data/amavisd/tmp/amavis-20121031T141007-26166: <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com> SIZE=898 BODY=8BITMIME Received: from mail.abc.com.my ([127.0.0.1]) by localhost (mail.abc.com.my [127.0.0.1]) (amavisd-new, port 10024) with ESMTP for <rterrenate_68@yahoo.com>; Wed, 31 Oct 2012 14:12:46 +0800 (MYT)
Oct 31 14:12:46 mail amavis[26166]: (26166-04) Checking: yVv8xymH8-pE [183.80.108.114] <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com>
Oct 31 14:12:46 mail amavis[26166]: (26166-04) Open relay? Nonlocal recips but not originating: rterrenate_68@yahoo.com
Oct 31 14:12:47 mail postfix/smtpd[24639]: connect from localhost.localdomain[127.0.0.1]
Oct 31 14:12:47 mail postfix/smtpd[24639]: 4771A4B852B: client=localhost.localdomain[127.0.0.1]
Oct 31 14:12:47 mail postfix/cleanup[24301]: 4771A4B852B: message-id=<20121031061245.68D584B8526@mail.abc.com.my>
Oct 31 14:12:47 mail opendkim[2952]: 4771A4B852B: DKIM-Signature header added (s=default, d=abc.com.my)
Oct 31 14:12:47 mail postfix/smtpd[24639]: disconnect from localhost.localdomain[127.0.0.1]
Oct 31 14:12:47 mail postfix/qmgr[12130]: 4771A4B852B: from=<whchoy@abc.com.my>, size=1383, nrcpt=1 (queue active)
Oct 31 14:12:47 mail amavis[26166]: (26166-04) FWD via SMTP: <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com>,BODY=7BIT 250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4771A4B852B
Oct 31 14:12:47 mail amavis[26166]: (26166-04) Passed CLEAN, [183.80.108.114] [183.80.108.114] <whchoy@abc.com.my> -> <rterrenate_68@yahoo.com>, Message-ID: <20121031061245.68D584B8526@mail.abc.com.my>, mail_id: yVv8xymH8-pE, Hits: -4.175, size: 898, queued_as: 4771A4B852B, 826 ms
Oct 31 14:12:47 mail postfix/smtp[24993]: 68D584B8526: to=<rterrenate_68@yahoo.com>, relay=127.0.0.1[127.0.0.1]:10024, delay=2.4, delays=1.6/0/0/0.83, dsn=2.0.0, status=sent (250 2.0.0 from MTA([127.0.0.1]:10025): 250 2.0.0 Ok: queued as 4771A4B852B)
Oct 31 14:12:47 mail postfix/qmgr[12130]: 68D584B8526: removed
Oct 31 14:12:47 mail postfix/smtpd[10017]: disconnect from unknown[183.80.108.114]