Hi Bob - I agree w/sleipnir214, I doubt it is the router. For an ISP to contact a client, they must be seeing a ton of traffic. More then likely your client is running some form of NAT so all outbound (including SMTP) traffic will appear to be from the router vs an individual computer. IMHO Sounds like one of the PCs have been compromised. Couple suggestions:
Sniffer
If you can get on their network w/a sniffer you'd be able to capture data packets pretty quick to see which machine is sending SMTP traffic.
Visually - confirm at the switch
I know this sounds ol'school, but it can help sometimes. If you have access to their switch, and they have LEDs that show activity, usually any PC that is sending tons of traffic will show their LED with almost a continuous blink/on status. Could help you track down the PC.
OpenRelay - SMTP engines
Many virus/Malware come with their very own built-in SMTP engines. If one of those PCs are infected (including the server), first thing those virus do is attempt to propagate to the internet - it may have its own address book or try to copy the PCs address book.
5 by 5
You could turn 5 PC off at a time, and see if the SMTP traffic stops. However, without a monitor it would kinda be hard to tell if the SMTP traffic has actually stopped.
At the PC -
While at the PC, I would ensure each has the latest AV definitions and AnitSPAM/Adware definitions and do a full sweep/scan. Also Ctrl+Alt+Del to see if there's anything odd running in the processes. Usually SMTP engines will load here and can be identified.
Disable outbound SMTP
As sleipnir214 suggested you could turn this port off at the router. This could be helpful and may suffice to keep the ISP happy while you discover exactly where the issue is originating inside that network.
Good luck.