So I have a question that I hope someone can answer. We are still using SM 15.7.6844 enterprise on our systems (long story) but anyway, the Internal Spammer abuse detection rule question I have is this: Does this rule only look at the email address to trip detection? or Does it also look at the sender's IP?

The reason for my question is because one of our user's email addresses was compromised and sending out spam through our server. It appears that the spammers were sending low level amounts of spam from several IP addresses and it should have tripped our rule, but it didn't because the IP address changed about every 3-5 seconds. If it does include IP, I can see that this rule would be useless in this case. Can anyone shed some light on this?