Yes. From two different relays:
tcp sport 22 tcp flags == 0x12 counter packets 431 bytes 25156
and
tcp sport 22 tcp flags == 0x12 counter packets 66 bytes 3936
Second relay shown above started as tor relay AFTER the annoucement that the source of the spoofing had been found and shut down.
From all the other machines I own, manage, or control that have never run relays:
tcp sport 22 tcp flags == 0x12 counter packets 0 bytes 0
Analysis: Spoofing is still occuring, still actively targetting new relays which are coming online, and seems to only be targeting relays. Which is why we need to know who the known perpetrator was.
In better news, I am monitoring about a hundred other ports for evidence of spoofing and see so far see none. That said, port 22 is sort of special, though, as one of the only ports that is both very commonly used across the wider internet and yet not a port that welcomes anonymous/public connections.
UPDATE: From nature and timing of port 22 SYN-ACKS received on my machines, I now suspect they are as a result of connections to a current relay operator. I believe adversary is using incoming tor relay connections to trigger outgoing port 22 spoofs, with the mechanism perhaps as simple as a TEE + DNAT.