Malware on Network

My question is there any way of tracking whats getting sent through port 25. ANy help would be appreciated.
The problem is inside to out and trying to finde the rouge machine

1. Sniff on the switch port where your firewall is connected to: http://wiki.wireshark.org/CaptureSetup/Ethernet
   
2. Use this capture filter to reduce traffic: 'port 25 and not host a.b.c.d' where 'a.b.c.d' is the ip address of your exchange server.
3. Stop the capture, if you think there is enough data (or enough 'evidence').

4. Analyze the traffic by doing this:

   • Find all TCP conversations: Statistics -> Conversation List -> TCP
     
   • Sort the entries by source ip or bytes (or any other criteria you are interested in)
   • Follow one TCP Stream: select one of those conversations and click the button "Follow Stream"
   • Read the content of that TCP stream (e-mail)

5. After you have identified those computers that send unsolicited mails, take them of the network and analyze what is going on (malware scan, asking the user, etc.)

6. IMPORTANT: Close your firewall !! No computer, other than your exchange server, should be allowed to send mails to the outside. Furthermore: Configure your Exchange SMTP connector to accept only authenticated connections (SMTPAUTH). If you don't do that, malware might just use your exchange SMTP connector as a relay to send e-mail to the outside. Beware! If you don't do this right, you might break incoming mail. Please ask you local Exchange guru how to configure this feature in the right way!

Regards
Kurt