IP address of spam

[Avi Levin]

The IP address identified by Mailscanner (4.14-9) in the log seems to be the
last host that handed off the message to my SMTP server.  In other words,
the first "Received:" line in the envelope of each message.

The problem I'm seeing with this, is that if I use Checkpoint's FW-1 SMTP
proxy, or any other internal scanners, then MailScanner's reported IP
address is no longer that of the actual sender.

Shouldn't the sender's IP address be the one that's identified on the
"Received: " header that immediately preceeds the "Message-ID:" and "From:"
lines?

And finally, which address is used for RBL and other list checks?

Please let me know if you've got any insights into this.

Thanks.
---Avi---