We have some client which their Zimbra server sending much amount of messages, possibly due to compromised account. Spammer do the following spamming actions :

1. Change account identity
2. Change Reply-to address
3. Change Signature
4.Create a draft messages
5. Sending much amount of spam messages

We have enforce strong password but it seems some account profile still got hacked. I don't know where the spammer came from. Is this possible they are spoofing Zimbra Admin (which be opened from outside) or does this means they came from webmail (which using https by default)?

Also, is this possible to prevent spammer to change reply-to address and signature by disallow user preferences on Class of services or is there any tips to prevent user preferences modification?