Useful cmd for quick checking compromised account in case of internal spam:

cat /var/log/zimbra.log | sed -n 's/.*sasl_username=//p' | sort | uniq -c | sort -n

Accont with much difference in sent mails is the one to inspect...

Leave a reply