There are many reason behind outgoing spams if a user’s password is compromised then spammer can be able to send spam through server.
To prevent user accounts from hackers, you should create strong password policy on your ZCS server.
You can find a spammer in Zimbra server using following command, it will give you a list of user that has authenticated the most, usually being the compromised ID via which spam is being sent:-
grep sasl_user /var/log/zimbra.log | sed ‘s/.*sasl_username=//g’ | sort | uniq -c | sort -nr | head
this command is applicable for both Network Edition and Open Source of Zimbra collaboration server.