When trying to determine whether one or more machines in your environment are sending out spam, you will need to restrict outbound SMTP traffic such that only certain machines are allowed to send email out of your environment. The best location to make this restriction would be at a perimeter firewall or switch that all outbound port 25 traffic would pass through. Configure its settings so that only your mail server, SMTP gateway, or mission critical servers that need to SMTP data outbound may do so.
Then examine your firewall logs to see which machines in the environment are attempting to send outbound SMTP traffic that should not be. Those machines will be the prime suspects in terms of what machines may contain a mass-mailer worm, virus or trojan.
It is also recommended that you ensure all your antivirus scanners defintions are fully up to date and then run a full virus scan throughout your entire network. If you pinpoint a machine as the one sending out the traffic, please contact your antivirus technical support for steps necessary to identifying and submitting the infected file(s) for analysis and removal.