How does the hacker manage to spoof a different IP address?
TOR, VPN, bots, proxies, you name it.. The source IP is not "spoofed" per se... it's the real deal. If someone really spoofed a source IP, they couldn't establish a TCP connection or receive any replies. The source IP spoofing method is more useful over UDP when launching an amplification attack to a victim/spoofed IP.
"Analysis":
The fact that actual login attempts were made, tells you that the attacker was able to set up connections to the mail host .
Since, in order to receive information over the Internet, you must be in control of the IP address you are using, this cannot be a case of address spoofing. (Attackers may send you information using spoofed addresses, as mentioned by YaRi, but the responses would get routed away from the attacker. Hence no two-way communication would be possible.)
Conclusion:
This leaves you with two possibilities:
- The attacker uses some sort of redirection (proxying).
- Multiple attacks coincide.
1 is far more likely but 2 cannot be ruled ruled-out from the given information.
VPN, SOCKS or HTTP Proxies, Tor, or even botnets are nothing else than different kinds of proxying systems from a conceptual viewpoint. They operate on different layers of the Internet (VPN very low to overlay networks such as Tor very high) but all perform traffic forwarding in one way or the other.
Mitigation:
If you are in control of the mail server, you can look into blocking publicly known relays (e.g. the Tor exit nodes). A further option is to keep track of devices used to acces the mail server or the geolocation of the IP addresses, to require extended authentication when accessing with a new device or from a new location.
The above stated measures are probably not worth the effort unless you are running a somewhat larger service. The best measure otherwise, next to keeping the system updated, is to use a strong password.
It may be a Botnet with many different Computers in different countries.
It has the advantage (for the hacker) that it is almost impossible to block for you (or your mail provider) because there is no IP that can be blocked.
I don't know you, or your mail account, but if it is a normal account without important information in it there is a big chance that it is just a normal botnet trying to get access to as many accounts as possible.