I've recently installed ScrolloutF1 between Zimbra and the Internet and now I can see that we get lots of spam 'from' our own addresses.
Nothing new here, what is strange however, is that there are few accounts that has never been used to send or receive email, so these addresses must have been harvested in some way.

Is it possible for a spammer to get a list of hosted addresses off zimbra, without a valid login?
Or if an account is hacked via weak password, can a hacker then get a complete list of all addresses on Zimbra?

If so, can simply disabling GAL in default COS prevent this from happening?