I'd suggest that the first thing you should look at is your RBL list. I believe you'll get better results if you use the zen.spamhaus.org RBL (it includes all the RBL lists) rather than the one you've got and it should be placed first in your list. I find it strange that some of those IPs don't get rejected (and I don't have an answer as to 'why') when they fail a multi-RBL check, for instance there's one here:
MSRBL - Multi RBL Checker - try it for the other IPs and see if they're listed. FWIW I only use the following restrictions:
Code:
zimbraMtaRestriction: reject_invalid_hostname
zimbraMtaRestriction: reject_rbl_client zen.spamhaus.org
zimbraMtaRestriction: reject_rbl_client psbl.surriel.com
zimbraMtaRestriction: reject_rbl_client dnsbl.dronebl.org
zimbraMtaRestriction: reject_rbl_client bl.spameatingmonkey.net
I see very little spam on my server and almost no relay attempts (that get through) and spamhaus block the vast majority of the spam. As I mentioned earlier I also reject mail sent to invalid addresses - you can find more details in the wiki in the article on improving the anti-spam system.