Hi rcgreen

There was no spammer involved.

The scammer opens my email, clicked hyperlink
Hyperlink lead to webserver with PHP script
PHP script grabs the IP and send me an email w/ user agent and IP
IP shown in the email is an internal address

Correction to my initial post:

The internal IP address is not in any of the email conversations. I have no idea why I wrote that.