It's questionable whether that sort of behavior is legal. RFC 2821 doesn't say anything about it other than the fact that "parameters" are acceptable on the MAIL FROM: line. I can't find any mention of an AUTH= parameter anywhere.
As far as I can tell this is some sort of weird M$ thing that is now leaking out onto the Internet, so I guess we've got to deal with it. In the absence of any real instruction it seems that the correct thing to do is to always parse the leftmost string in angle brackets following MAIL FROM: as the envelope sender address.
