address spoofing

anyone have clues other than net slime and misconfigured nats?

Possibly users behind your filters are tracerouting through
somewhere which has PtP links configured in RFC1918 space,
and you are seeing ICMP TTL exceeded back from these addresses.
Some people allege configuring publicly visible PtPs to RFC1918
addresses is not bad practice. YMMV.

If you really want to know what they are, policy route them
to a spare ethernet port back to backed with a box running
tcpdump. But then you knew that already.