Our domain has been blacklisted and after some digging it looks like one of our user's address book may have been exploited. I turned on verbose logging on the send connector and all of the outbound messages are from one user. I disabled that user's network adapter on their workstation but the problem still persists. I was disappointed when I realized that the client machine's IP address is not in the SMTP log, only the local and remote mail servers.
So my question is, what is the easiest way to determine which client machine is sending mail that coincides with the SMTP log?