SpamAssassin not tagging or quarantining?

I’ve enabled SpamAssassin on one of my domains and set the tag level to 3 and the quarantine level to 4 on one of the email accounts. It seemed to be working until I got an email today that wasn’t tagged or quarantined. When I looked at the full header I saw it contained:

Subject: 0nline software, Download Macromedia, Windows & others Instantly
Date: Wed, 02 Nov 2005 15:01:53 +0300
MIME-Version: 1.0
X-MimeOLE: Produced By Microsoft MimeOLE V4.71.2730.2
Content-Type: multipart/mixed; boundary="–aJMZgeF49dfvH6aCF"
X-DH-Virus-Scanned: by amavisd-new-20030616-p10 (Debian) at enforcer
X-Spam-Status: No, hits=12.3 tagged_above=-999.0 required=999.0
X-Spam-Level: ************

Doesn’t “hits=12.3” mean it should have been tagged or in fact quarantined? I don’t get why it contains right after “tagged_above=-999.0 required=999.0” when these are not my settings for the account.

The only thing I can think of is this email came from an alias on a different domain that forwards to the account vs. straight to the account email address. I’ve read that SpamAssassin doesn’t block email that comes from another DreamHost domain, it only blocks when the email first hits a DreamHost domain. But the other domain has Spam Assassin enabled, but doesnt’ have any real mailboxes, just forwards to other real email addresses in other domains, so how am I to get spam blocking.

Surely there is a way for SpamAssassin to handle this properly without me setting up real mailboxes for every forwarding address and having to manage SpamAssassin settings and quarantine folders on multiple domains…

I have a support request in on this one but so far I have discovered this:

if I have two dreamhost domains DH1 and DH2 and I send email to foo@DH1 and it is forwarded to bar@DH2 then it never gets tagged or quarantined.

If DH1 has junk filtering on it does get processed by SpamAssassin and does get the X-Spam-Status headers added but DH2 does nothing with them.

I realize that DreamHost has set itself up so that mail being forwarded from one DH domain to another is “trusted” but this really breaks the utility of forwarding and junk mail filtering for those of us who use forwarding to implement aliases for a single account. My own home mail server works way way better!

Wouldn’t it be nice if…

Mail for an address that is simply forwarded to another is not processed by SpamAssassin until it reaches a final address.

Mail received from another DH domain is not treated as trusted if it has not already been through SpamAssassin i.e. does not have the X-Spam-Status headers.

This, as far as I can tell would fix all the usability problems with forwarding.

Is there any way for me to change the SpamAssassin behaviour with user specific preferences? I’ve looked at the SA docs briefly but haven’t figured it out yet…