I think this can be traced out using a proper accounting server. Because, this accounting server will track the correcponding hosts and account their events as a log. But this is just my suggestion. I am not sure how it is going to work out for you.
For a more precise answer, I may need the configurations currently running on your firewall and a generic overview of your network topology.
In my experience you may want to look into the following
1 - Make sure that your email server has not been comprimised or misconfigured to allow it to be used as a mail relay.
2 - Migrate to a web based email infrastruture and disallow outbound communication using tcp/25(smtp) from the client host to the mail server (this is easily achieveable if using the 'Port Blocking' feature on McAfee ePO and 8.0i or 7.0 client AV). Viruses typically spam using smtp and if your disallow that, then you have gained alot.
3 - If #2 is not feasible, you may want to look into an external content filtering device or software application for your mail server. I have worked with McAfee Webshield and the installation is painless and requires no changes to your topology. I installed it as a L7 aware transparent bridge. Sit it between your Router and Firewall and it scans all in/bound mail for spam and viruses.
I have done all of the above at companies and it made life alot easier.
We have configured the outside and inside Interface with official ipv6 adresses, set a default route on outside Interface to our router, we also have definied a rule , which also gets hits, to permit tcp from inside Interface to any6.
In Syslog I also se...