It is common to see the delivery of unsolicited emails in the Internet, namely spam. Most spam-filtering solutions are deployed on the receiver side. Although the solutions are good at filtering spam for end users, spam messages still keep wasting Internet bandwidth and the storage space of mail servers. This work is intended to detect spam hosts in a university campus to nip the spam sources in the bud. We use the Bro network intrusion detection system (NIDS) to collect the SMTP sessions, and track the volume and uniqueness of the target email addresses of outgoing sessions from each individual internal host as the features for detecting spamming hosts. The large number of email addresses can be efficiently stored in the Bloom filters. Over a period of six months from November 2011 to April 2012, we found totally 65 spammers in the campus and also observed 1.5 million outgoing spam messages. We also found 33% of internal mail servers that have an account cracking problem. The precision of the detection is 0.91, and the recall is 0.97.