Email header shows extra IP address in the Received: section

Email Header analyzing.  
I am going through suspected phishing emails to verify that they are phishing and then find a way to block them since they were not already blocked.
Normally pretty straight forward approach.
I have one that has me baffled though with the analyzation portion.  I have attached the header.

I use two different sites to analyze the header;

The question I have is in regards to the "Reeceived headers" section.  The first line reported by both of the above sites.
ON MXToolbox it shows the from as ""
On the Azure it shows a little more information "[] (port=11638 helo=[])"

So the question I have is what does this other IP tell me?  The  The header says:
Received: from [] (port=11638 helo=[])       by

But the address of is not that 192 address.

Looking for someone smarter than me for input on this.

thank you!
Michael FultonMCITP: Enterprise/Virtual AdministratorAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

David FavorLinux/LXD/WordPress/Hosting SavantCommented:
Likely you can simply tighten your SPF rejection settings, so some From: address has no SPF authentication to send, can be bounced during the initial SMTP conversation, when message's first delivery is attempted.
Michael FultonMCITP: Enterprise/Virtual AdministratorAuthor Commented:
I understand that.  we have some odd things on this end that currently are preventing making it too tight.

But the question I have is about that address.  Could it be they are using a VPN tunnel and that is their original IP?  I don't know.  That is why I am asking this.
Michael FultonMCITP: Enterprise/Virtual AdministratorAuthor Commented:
The first hop reports multiple IPs and a non-standard port. The 2 IP addresses are because the sending computer on Hop 1 reported it’s IP address as, but the actual IP address that connected to the receiving host was different ( The RFC for the SMTP protocol ( defines the first step of communications to be that the sender sends a “hello” message (helo or ehlo), as follows:
At the time the transmission channel is opened there is an
      exchange to ensure that the hosts are communicating with the hosts
      they think they are.

      The following two commands are used in transmission channel
      opening and closing:

         HELO <SP> <domain> <CRLF>

         QUIT <CRLF>

      In the HELO command the host sending the command identifies
      itself; the command may be interpreted as saying "Hello, I am

Most systems won’t do anything to verify that the sending host is reporting itself correctly, so there are a lot of email servers that are just sending the IP address of the server. The sending server only knows it’s internal IP, not its public/NATed IP, so it reports

The first hop also reports a non-standard port. I suspect that has configured a non-standard SMTP port (11638) in an attempt to foil spammers, but that someone found the open port and is using it for exactly that purpose.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
scam emails

From novice to tech pro — start learning today.