My first thought would be to set up the following if you don't already have it:

- Create a mirror port on your most central switch - or the equivalent on your firewall.  Connect this to a workstation or laptop for monitoring.
- Install Wireshark on the monitoring computer.
Monitor the traffic on the outgoing port of the switch or the incoming port (LAN) on the firewall.
This should determine the IP addresses that are generating traffic of the sort you are interested in.
Perhaps off-hours logging would be the most revealing.
I've run logs like this with round-robin log file creation for days on end.

Setup an SMTP server (such as the free one included in windows under IIS) to act as a relay.

Point all of your actual applications that sdnd mail to this relay.

block all devices (except the IP pf the mail relay) from having port 25 ourbound.

Now you can be pretty muxh assured that anything else which is sending email is blocked, and you can review the smtp logs of all devices which de relay through your local smtp relay server, allowing tou to troubleshoot connectivity and locate any abusive systems.

You have entered this as a post, but it looks like it is a question. To get the best response from the Experts, you should probably re-submit this as a question using the "ask a question" button at the top of the page, or this link: https://www.experts-exchange.com/askQuestion.jsp

Please see here for further details: http://support.experts-exchange.com/customer/portal/articles/756544-how-to-succeed-at-ee-as-an-asker