A couple of thoughts here. Computerhorizons.com has a few subsidiaries: management services, training services. I've dealt with software that had built-in email capabilities (which is your port 110), so maybe there's a new app or two on your network that's receiving email now and then. The questionable ip addresses belong to Level3 and NTT respectively, both reputable outfits. Maybe you can run something like TCPview on your server that would catch the offending app in action (although TCPview doesn't have logging from what I can gather). Check for other new software, something besides spyware or viruses.