So I just got hit by a very crafty spammer/criminal.

He purchased a dedicated server from us and then proceeded to scan our network and sniff traffic. One of our other customers had a cross connect into another network in the facility we're in, and they bridged their network onto our low end hosting network.
This spammer started running fragrouter, stole the other customer's IP's, and then started spamming from them.

He would only do this for about an hour at a time so it was hard to track down.
I've enabled mac-security on all the shared ports now so this won't happen again, but its very irritating.

I should've known when his name showed up as "John Thomas"... When your name is very close to british slang for a tadger... smell the scam.