With the way that SMTP works, anyone anywhere can specify any email address as their from address as long as they have a mail server that will allow them to do so. This is why mail server administrators always ask for the complete headers of a spam message before they will disable someone: the from address may be completely false or even non-existent.
Read the Knowledge Base article on What are complete headers? How do I get them? for more information about viewing complete headers.
Advanced Email Security checks whether the sender is blacklisted by the From address used by the sender's server when it communicates with Smarsh Hosted Services server. This address can be completely different from the address you see in the From: header of an email message. Usually, the real From address can be found in the Return-Path: header of the message.
The email address/domain that is specified in the Return-Path section should be added to the Blocked Senders list in Advanced Email Security if you do not want to receive messages from this sender.
1. The transcript of the SMTP session between the sender's server and the Smarsh Hosted Services server:
220 exmf015-1.serverdata.net Microsoft ESMTP MAIL Service Version: 2.0
250 2.1.0 Ok
RCPT TO:<firstname.lastname@example.org >
250 2.1.5 Ok
354 End data with <CR><LF>.<CR><LF>
250 2.0.0 Ok: queued as 44FF84367F
2. Extract from headers of the message received by email@example.com:
In the above example, either @spamdomain.com or firstname.lastname@example.org should be blacklisted in Advanced Email Security in order to prevent messages from this sender being delivered to users' mailboxes.
Read the Knowledge Base article on Advanced Email Security for Exchange for more information.