Most keyloggers try to send their log file via email as usually port 25 is unfiltered where as port 80 may restrict access to certain sites which could hinder the sending of the log file.

Sending the log file via email is quite effective as it is still an email and will use your normal email client settings/servers to send. Ways to spot this traffic are examining the size of the email or/and the regularity of it. The keylogger will be configured to either send it when the log file reaches a set size or at a certain time on a certain day and will be to the same email address.

So go through your logs and see if there is any patterns regarding email, a certain one that is always say 100KB in size or one that is always sent at 12:00 on friday look for it always being addressed to the same person.

If your boss is really concerned about this tell him you will examine you smtp logs to check for these tell tale signs.

If you find a keylogger installed on a box in your network but is not set up to send email then the chances are it is an employee that has installed it, if this is the case, words with the sys admin are required!!!

I was asked roughtly a year ago to write a paper on keyloggers and I found Spybot always detected every keyloger I played around with, but that was a year ago.