Each time spam are registered from a honeypot the message also gets analyzed by it's content. This may trigger false events from time to time. However, the discovery does not affect the reason of why the ip is listed, but when publishing trigged words through the API this may look strange when the mail content differs from the used tag.
One solution to avoid this, is to trim out X-Spam-Status from the analyzed mail, since it's not required when reading the message. In this case, it's important to not trig keywords by those lines in for example a body scan which has happened here.
One other thing to think of when stripping of the X-Spam-Status is that the header splits up the content on more than one row.