Dealing with compromised Zimbra accounts

[Steve Hillman <hillman@sfu.ca>]

Hi folks,
  Now that we've moved all of our students over to our Zimbra implementation, we're starting to see Zimbra accounts get used for spamming (after being successfully phished) -- we've had 3 in the last 3 days.

We're having to invent new ways of dealing with these -- simply changing the password or locking the account doesn't actually stop the current session. Our session timeout is 12 hours, so this would allow the spammer to keep functioning for quite awhile unless we can kill the session programmatically. 

I've found that setting the account to 'maintenance' mode will terminate the session *if* the end-user tries to do anything while it's in that state, but it's not enough to just flip the account into maintenance and back out.

I'm just wondering if any other sites are dealing with this yet, and if so, if you've figured out a semi-automated way of locking and unlocking the accounts?

(btw, we're also looking at Milters to do password detection (to prevent the phished account in the first place) and outbound rate limiting (to limit the damage the spammer can do), so if any of you are doing/done any work in this area, I'd love to hear about it too..)

-- 
Steve Hillman                                IT Architect
hillman@sfu.ca                               IT Infrastructure
778-782-3960                                 Simon Fraser University