I don't understand how Mercury was able to accept the mail from 188.8.131.52 when it is outside the allowed range of IP addresses. Am I missing something here?
Is there any further configuration I need to carry out to ensure that Mercury only accepts SMTP connections from the allowed ranges?
It's not clear from here why the spammer even connected directly to your MTA - apsarchaeology.co.uk uses MessageLabs MXs, and the host apsarchaeology.co.uk doesn't run a public MTA. The record must be cached by some ratware somewhere; in that case it should go away soon.
The MercuryS ACL consists in the allow and deny list (see the help for a full description). The allow list specifies hosts allowed to send mail and optionally those allowed to relay when otherwise prohibitted by configuration. Specifying an allow entry without relaying permission is useful because it allows you to override a more general deny entry, which does just that - ban outright any connection from that host. However, it is otherwise assumed that all hosts are allowed to connect but not to relay (providing relaying control is correctly configured, of course). That's a necessary assumption, of course - mail to local users must always be accepted, and your configuration is unusual in that respect.
To get the effect you want, simply ban every IP address on the internet (0.0.0.0 to 255.255.255.255). It is then EXTREMELY IMPORTANT that you ensure EVERY HOST THAT DELIVERS MAIL TO YOUR HOST is allowed to do so. Every allow range overrides the global ban.