We have a zimbra email server and one of the email accounts was compromised. The problem we have now is that a lot of spams are sent from that server and we cannot identify which account is compromised.
In the mailq we can only see the from email, but this is a fake email address.
Is there a way to identify the real auth user who is sending those emails?