@mrpfsense
(don't do this but)
1 ) on LAN add a firewall rule that passes port 25 outbound to any and logs it.
instead do:
2a) on LAN allow port 25 outbound from the one server IP, and
2b) second rule after 2a: on LAN block port 25 outbound and log it
If spam is being sent that implies a PC is infected. Alternately Spamhaus has other lists like the policy list were the ISP reports it shouldn't be sending mail at all...often set for DHCP IPs.