We've had a customer who's zimbra server has been sending out spam. We eventually found it was an account that had its password guessed/compromised and were able to fix it by changing the password.
However, finding the account was trickier than I would've expected. It was sending via authenticated smtp, but using a different FROM address.
Is there any easy way to identify which authenticated account is used to send a particular email?