After you get things tidied up a bit, read this Wiki and see how your firewall settings are compared to what it advises.
Firewall Configuration - Zimbra :: Wiki
I'm at a school system where some of the staff (often) enjoy giving their passwords away to scammers, so I wrote a Perl Daemon that checks the mail.log every ten seconds for multiple sasl connections to the same account and if it is more than I feel is normal, it'll send me a text message that it's locking that account, then it restarts the MTA and does some network stuff to break the Postfix connection that the "possible SPAMmer" is making to my e-mail server. Then when I have time, I can log in and look at the activity and do what I think is best to resolve the incident.
I also use "fail2ban" - a good thread on that is below.
Succesfull hacking attempts on Zimbra mailboxes (webmail)
Here's another good thread to look over.
Identify compromised accounts
And while I'm at it, come here every day and read over the forums. Its the best way to stay informed.