Here's one we haven't seen before. Headers in a spam message (the recipient was a BCC):
Received: from [85.209.176.115] (port=65243) by sv01.gofox.pt with esmtpa (Exim 4.96) (envelope-from <stthomashospitaluk66@gmail.com>) id 1qgFf7-0004By-2G; Wed, 13 Sep 2023 03:31:28 +0100
From: "St. Thomas' Hospital" <stthomashospitaluk66@gmail.com>
To: Recipients <stthomashospitaluk66@gmail.com>
Subject: Job Vacancy
Date: Tue, 12 Sep 2023 19:31:21 -0700
But we have 89.209.176.0/21 blocked in the firewall. We wondered how it got passed the firewall block rule, until we looked at the server's SMTP log for the transaction and found:
[2023.09.12] 22:31:29.373 [94.46.23.119][24418393] cmd: EHLO sv01.gofox.pt
[2023.09.12] 22:31:30.014 [94.46.23.119][24418393] cmd: MAIL FROM:<stthomashospitaluk66@gmail.com> SIZE=5853
So now we're curious how the sending server at 94.46.23.119 was able deliver a message but the headers show 85.209.176.115 as the last MX to have touched the message. If Smartermail received it from 94.46.23.119, why was that shown in the SMTP log but NOT added to the message headers?