Yet Another Spam Tracking Help Request

We have been black listed a few times this year due to spam. I am trying to help figure out the cause of the issue. We have blocked communications on port 25. We operate a groupwise mail server, and we have blackhole routed the ip address that has been provided to us from the ISP. 172.22.218.222

I am curious how I go about finding the culprit machine in my network. Since we have blocked the transmission on port 25 and we are not operating as an open relay, what should I be looking for exactly? I see in my spam filter that a large amount of email from a specific user is being differed because of our rate control. I can't see where the mail came from or originating ip. I can see who the end user is suppose to be, and the messages that are being sent are blank, at least when I view the email documents in the Barracuda spam filter, there is no content. We have changed the password of the offending user to something complicated but the intrusion still occurs. We have tried removing the account and setting up a new one for the user. This solves the issue for the user, but the spammer soon finds a new user and begins using that account.

Any help and insight is greatly appreciated!

My current set up is a wireshark machine and my mail server on a hub together, I am packet capturing everything at the moment, I would like to set up some filters that may help me, or some kind of expression to filter my results. Filtering port 25, has no affect as the port is blocked.

My next thought is to capture between gateway and firewall, or to port mirror on the main switch, but given that this is a network for education, there is ALWAYS a large amount of traffic to sift through.

To be honest, I am not sure if the offender is using the server as a relay, or if the machine is located locally, or accessing a machine locally to do it's bidding, this is what I would like to find.