Forwarded emails to the monitored mailbox doesn't seem to pull in original sender from header

[k41zen]

If the email is originally sent to the monitored mailbox then all works fine but if a mail is forwarded on for investigation from a user, then the original From field isn't pulled in as an observable (as it's in the header).

Looking at the code I've uncommented this line which does pull in all the observables from the header:

# Temporary disabled
observables = searchObservables(headers_string, observables)

As this pulls in all observables from the header including internal IP's etc is there a better way to do this other than through whitelisting?