1 | initial version |
To determine the internal IP, you'll need to capture on the internal network at a point where all egress traffic passes through, looking for traffic on TCP port 25 (for SMTP).
To do this you'll need to capture either on the edge router (which may or may not be possible), or from a switch just in front of it that routes all the traffic. If you have multiple switches connected to the router then it's back to capturing on the router again, or putting a "consolidation" switch between the other switches and the router (or use a tap). See the Wiki page on Ethernet Capture for more info.
You could also block traffic going to TCP port 25 from egressing your network, see your firewall\router manual for details on that. This won't identify the suspicious device but will stop your ISP from complaining.