I believe the problem to be that the 'trusted networks' is considered any IP on our same network, not our specific customer SMTP servers.
I guess my real question is, How can I prevent this case? This message was relayed through an official SMTP server on a static IP! I do not want to flag this as highly suspicious, because it isn't! The trusted networks -firsttrusted option is simply skipping past the Received I wish to be checked against the RBLs, and using the Received line a hop down the chain instead. There is not, 'untrusted' setting that I can add specific IP on our network that should not be trusted.
There is no "untrusted" setting, however it should not be needed.
If you manually declare a trusted_networks statement, SA will NOT infer any other trust. SA only infers trust when it's not manually declared.
Sidenote: what SA version are you using? SA 3.0 and 2.6x have different interpretations of "trusted_networks".
