Most likely you have users falling for phishing scams, or users with keylogger viruses on their computers. If they are changing the reply-to settings they are almost surely logging in via the webmail, but you can verify logins (and their source IP/method/etc.) in /opt/zimbra/log/audit.log.
I'm not aware of a way to change permissions to block the reply-to/signature issue. Doing so won't stop them from sending spam from a compromised account though and would be overlooking the real issue (how the accounts are getting compromised).
P.S. Your admin port (7071) should be blocked to the general internet and only allowed through specific IPs (for outside use a VPN is recommended). Even if you don't find that the admin access is how spammers are getting to accounts, I would still strongly recommend blocking outside admin port access.
State University of New York at New Paltz