Zimbra Mail Server is sending Spam
How to find SMTP Auth usernames (users) who authenticated on the SMTP port to send a bulk emails.
The following command will return list of authenticated users on the SMTP port to send an email:
tail -n 200000 /var/log/maillog | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n
As we see on the pic. last user sending 1490 emails