I'm not at all sure that
helo= is definitive.
I just looked at a batch of test messages I sent when trying to sort out a domain and router problem here.
Here's the last (ie first in sequence) line of the routing of a message from my laptop to the desktop, both on the same network:
Received: from [192.168.8.10] (unknown [87.127.*.*])
by mail.ukfsn.org (Postfix) with ESMTP id 86BE2DF20A
for <keef@******.***>; Sat, 1 Dec 2007 21:17:40 +0000
192.168.8.10 is the laptop's DHCP address from the router.
87.127.*.* is my static IP address at UKFSN.
There's no helo= anywhere in the headers.
Here, in contrast, is the first routing line of one sent from my laptop when up in the Norfolk cottage, before that had a router and network:
Received: from [192.168.227.20] (helo=penitentiary.servers.plus.net)
An imaginative helo= (totally unaltered by me) innit! That's Plusnet's server ID, not my machine's ID, so the helo= isn't meaningful. The 192.168.227.20 is from a prehistoric ADSL modem I was using then.
And here's one sent from the cottage after the router was installed:
Received: from [87.113.69.49] (helo=[192.168.3.10])
by ptb-relay02.plus.net with esmtp (Exim) id 1HmeuN-0008Tf-Dm; Sat, 12 May 2007 00:52:23 +0100
That helo= is the laptop's DHCP address on the Norfolk router. (It uses 192.168.3.x because it often connects via VPN to the Essex machine with its 192.168.8.x addresses, whereupon Norfolk becomes 192.168.8.5x.)
I would conclude that the helo= isn't reliable as an indication of which PC sent the message - but that the DHCP address is.
If there isn't a DHCP address on the originator, then I wonder if there is a local area network involved. If there isn't, then I'd suspect there aren't four separate PCs on that broadband connection, either.
Hope that helps, and that it's clear enough.