Meanwhile, we've been getting complaints about spam which, on analysis, clearly contains forged Received headers. They have our IP but the wrong HELO, and no or wrong reverse DNS...and of course they don't show up in our logs. So we know spammers are out there forging our IP address. (Why ours? I have no idea. Probably the same reason they like forging our domain name and sending us 90,000 bounces a day.)
Are you sure it's a forgery?
Just because it's not in your mail logs does not mean it didn't come from your box. I can fire up a telnet client on xanadu and connect to an external server and drop it spam. That won't be in xanadu's logs but the mail will have been transfered from there.
And I can generate whatever HELO I want, all the lack of proper HELO indicates is that your MTA software didn't handle it, but it may have been handled by your MTA box.
The lack of RDNS doesn't mean much, as the recipient coudl have disabled this.
If it looks like your IP dropped off to their network, and there's no other hop inbetween in the headers, either you have a trojan, or a box on their end does, or the entier report is bogus.
IP forgery over established TCP connections is not a trivial matter if you don't control one of the boxes or a box along the route between the two (ie: your router, or their router)
I'd check your box for trojans and/or proxy weaknesses just to be safe.
