Hi, Please disregard me if this sounds dumb because I'm still new to all of these. Here is my thought.
COuld it be possible for a spammer to send an email with additional headers that are exactly like SA's with "X-Spam-FLag: NO" to trick the MDA filtering matches? Since SA's headers are at the end filtering would stop once it matches the fake headers.
That won't work. SA will clobber the existing headers and over-write them with a new one when it scans the message.
This is also how people get into the "x-spam-status header doesn't match body report" quandary when they double-scan their emails. The second scan clobbers the x-spam-status header of the first, but doesn't touch the old body report.
