Actually, I don't have any problem figuring out which IP address connected to my mail server. The problem is that a lot of time that IP address has little to do with the actual originator of the spam email.

Everyone's heard about the new explosion of spam. Everyone's heard of Nimda, Code Red, etc. Very few seem to have connected the dots though... most of these worm/trojans were designed to create spam forwarding bots, in my belief. If you are sending say 10 million emails a day, and you've managed to snare 10 thousand IRC controlled spam forwarding bots via some variant of one of these worms, that means that each of them is sending about one thousand emails a day. Say the average size of said email is 30KB; that means a total throughput of 3 MB. Since the vast majority of these machines are on broadband networks, 3 MB spread out over 24 hours is a tiny trickle of outbound data, hardly noticeable to those who aren't Inet cognoscenti.