I don't have any cron jobs running that generate autentication requests.
I've found when the Zimbra web client is authenticated, the IP of the browser is logged not the IP of the server (for example, 2008-08-13 20:07:29,806 WARN [btpool0-10] [oip=65.12.278.236;ua=zclient/5.0.7_GA_2444.UBUNTU6;] security - cmd=Auth; account=xyz@mydomain.com; protocol=soap; error=authentication failed for xyz, account lockout
Here's a small subsection of the /opt/zimbra/jetty/logs during the attack:
10.10.1.2 - - [13/Aug/2008:06:56:56 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:04 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:14 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:19 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:26 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:34 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:42 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:49 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:57:57 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:03 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:13 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:18 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:26 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"
10.10.1.2 - - [13/Aug/2008:06:58:34 -0400] "POST /service/admin/soap/ HTTP/1.1" 500 476 "-" "-"