Here is a script I use on my Zimbra environment that I modified to work on my InterWorx box to find what account is compromised.
tail -n 100000 /var/log/maillog | grep "vchkpw-smtp: (PLAIN) login success" > /tmp/smtpauthlogins.txt
Here is a script I use on my Zimbra environment that I modified to work on my InterWorx box to find what account is compromised.
tail -n 100000 /var/log/maillog | grep "vchkpw-smtp: (PLAIN) login success" > /tmp/smtpauthlogins.txt