I think Zammad need stop/black list for service email addresses what are prohibited for creating new ticket.
Scenario: some spammer send mail from “support@your_company.com” address, what assigned to Zammad.
Not all SMTP servers are discard spam based on spf records, so you most definitely will receive some NDR for this spam mail. And new ticket will be created in system. And new user will be created in the system.
So, how to deal with this? Block all NDR to Zammad system on firewall/proxy/edge smtp server?