Good questions here. Most times a mystery node comes in if a object has multiple communication IPs and the logs come out of different interfaces. My suggestion would be to audit why the email appliance has multiple IPs and if you can customize what port the logs are sent from if these are SYSLOG sources. If is a Windows log source make sure you do not have traps or syslogs coming out if you are also using the LEM agent That will add weird duplicate sources.
Hope that helps. Let me know.
Thanks