On Mon, 12 Jan 2015 18:06:57 +1100, Mark Andrews said:
The ISP will very likely not see ANY traffic originating from spoofed IP destined to your server.
They will see the reply traffic and will see the acks increasing etc.
Assuming they think to *look* for it. 99.8% of ISPs will get a complaint "Your IP w.x.y.z is sending me spam", drop a tap on the IP address, see no matching outbound traffic, and hit delete on the complaint. They will almost certainly not think to look in something like the ICMP port unreachable packets the address is sending to some *other* address. (Remember, the compromised relay machine has to send *very* little info back to the actual sending box - TCP sequence numbers, maybe windows, and SMTP reply codes that can be encoded in 1 byte or even less)