Transport Rules Bypassed

Explanation of setup.  Internet -> Exchange 2007 through firewall rule and NAT.  Only 1 Exchange server.

We have 2 transport rules that block inbound messages that have our domain's name in the From field or in the return-path field.  They are set up so that only the messages that arrive to our mail server using it's IPv6 address are accepted along with some exclusions for specific subject lines and trusted IPv4 addresses in a 'From' field.

This rule has always worked for us since inception and blocked spam messages that try to impersonate internal senders, until today.

I just received a messaged from 'Administrator'@domain.com with 'fraud@aexp.com' in the return-path through an outside mail server.  It appears the message has had additional 'From' headers that spoof our domain with non-existent DNS names and internal 10.x.x.x addresses.  These spoofed headers appear to break the processing of the transport rules as the message had none of the acceptable conditions that we would accept a message with our domain in the from field.

Note the message headers below:

***Real***Received: from 192-0-146-154.cpe.teksavvy.com (192.0.146.154) by
Exchange2007.domain.com (192.168.160.160) with Microsoft SMTP Server id
8.3.298.1; Tue, 12 Nov 2013 10:53:57 -0500

***Spoofed***Received: from outlook704.domain.com (10.0.0.161) by domain.com (10.0.0.68)
with Microsoft SMTP Server (TLS) id 032PJOKT; Tue, 12 Nov 2013 10:53:57 -0500

***Spoofed***Received: from outlook5391.domain.com (10.176.31.45) by smtp.domain.com
(10.0.0.122) with Microsoft SMTP Server id RLOJVAPF; Tue, 12 Nov 2013
10:53:57 -0500
Date: Tue, 12 Nov 2013 10:53:57 -0500
From: "Administrator <Administrator@domain.com>"
X-MS-Has-Attach: yes
X-MS-TNEF-Correlator: <XYSF4KCDD28WKE7RQYUV6UDGCRHHKOF0YPVZ5U@domain.com>
X-Priority: 3 (Normal)
Message-ID: <MF3B5024M539DH3WA62DWL1224449B9FT0JYIW@domain.com>
To: <user1@domain.com>
Subject: Important - New Outlook Settings
MIME-Version: 1.0
Content-Type: multipart/mixed;
                boundary="_004_6Z7F6IE7QWJKDBPLDQDZV07FY9LJI6MFTG2VJ4Q5OHV4M3LQTWA1BNQ_"
Return-Path: fraud@aexp.com

Any insight from those out there?