How to make spamassassin not check whether an authenticated user is in a blacklist?

I am sure this is a common occurrence: a user (who has an IP that is in a blacklist or two ) is sending mail using his email provides server (with SMTP authentication), then that server is forwarding the message to the recipient. Here's a sanitized header of such message.

Received: from email-com-hosting.com ([1.2.3.4])
	by mail.email2.com with esmtps (TLS1.2:ECDHE_RSA_AES_256_GCM_SHA384:256)
	(Exim 4.84_2)
	(envelope-from )
	id 1aaaaa-000000-aa
	for recipient@email2.com; Fri, 30 Sep 2016 00:01:00 +0300
DKIM-Signature: some-valid-signature-added-by-1.2.3.4;
Received: from [5.6.7.8] (helo=[10.0.0.1])
	by email-com-hosting.com with esmtpa (Exim 4.76)
	(envelope-from )
	id 1aaaaa-000000-ab
	for recipient@email2.com; Fri, 30 Sep 2016 00:00:00 +0300

Server 1.2.3.4 is the actual server for email.com, the mx record points to it ant everything. IP 5.6.7.8 is in a couple of blacklists. Spamassassin marks this email as spam because 5.6.7.8 is in a blacklist. How do I make it ignore all received headers that have "esmtpa" - autenticated SMTP and all headers below it? The idea is this: 1. If the header is genuine and the user is actually authenticated, do not check if the IP is in a blacklist. 2. If the header is spoofed, then it is useless anyway. 3. If the user is not authenticated, then check his IP too. For now I can add -lastexternal or -notfirsthop to all checks, but maybe there is a way to do this incorporating the presence/absence of "a" in the received header.