If I might explain, it's not really possible to spoof the IP address of SMTP connections. This is because there is a 3 way TCP handshake needed to set up the connection in the first place - And that's before we get to the back and forth of the messages needed to actually complete the SMTP send.
In the past, we've found such devices is Amazon Firesticks and Kodi boxes responsible with unsupported third party software to be the culprit in these cases.
The CSS is a real time blacklist, also from reading their documentation they don't blacklst straight away, it takes two or 3 events from the same IP before it's listed. Furhermore, if no further traffic is seen then a listing drops off after 48 hours. In other words, if your system really is clean, you don't have to ask for a delisting.
IP Spoofing is a thing, it's used in DDOS attacks - but it makes use of a transport mechanism called UDP and things such as poorly configured DNS and Network Time Protocol Servers.
Just because your AV scans haven't found anything doesn't mean it's not there.
I'm a Very Insightful Person, I'm here to share knowledge, I don't work for Virgin Media. Learn more
Have I helped? Click Mark as Helpful Answer or use Kudos to say thanks