after switching the level to 5 (btw. bad idea to have the same variable 2 times in the same script -> last one matches ..) the sql showed me that it has the right rule: policy_name=>"Spambox". All the settings are from that rule like subject rewrite etc. I can see that the email where to forward the mail to is there as well. (spam_quarantine_to=>"email@example.com" )
spam_tag_level=>"-10", spam_tag2_level=>"-5" this makes sure that more or less every email will be spam (good for testing). The email get the spam header + subject etc. etc.
Everything is looking fine but the last rewrite to the "spam-admin" email I can't see anywhere.
lookup [spam_subject_tag2] => true, "firstname.lastname@example.org" matches, result="*S _SCORE_* X", matching_key="/cached/"
headers CLUSTERING: NEW CLUSTER <email@example.com>: score=0.1, tag=1, tag2=1, local=1, bl=, s=*S 0.1* X, mangle=
header: X-Virus-Scanned: amavisd-new at co4.mailhost.zz\n
header: X-Spam-Flag: YES\n
header: X-Spam-Score: 0.1\n
header: X-Spam-Level: \n
header: X-Spam-Status: Yes, score=0.1 tagged_above=-10 required=-5\n\ttests=[RDNS_NONE=0.1] autolearn=no\n
header: Received: from co4.mailhost.zz ([127.0.0.1])\n\tby localhost (co4.mailhost.zz [127.0.0.1]) (amavisd-new, port 10024)\n\twith ESMTP id i51hHhuKsDOr for <firstname.lastname@example.org>;\n\tTue, 31 Aug 2010 14:56:36 +0200 (CEST)\n
headers CLUSTERING: done all 1 recips in one go
SPAM-TAG, <email@example.com> -> <firstname.lastname@example.org>, Yes, score=0.1 tagged_above=-10 required=-5 tests=[RDNS_NONE=0.1] autolearn=no
(about to connect to [127.0.0.1]:10025) FWD via SMTP: <email@example.com> -> <firstname.lastname@example.org>
Can you point my nose where I should look at please?
ps.: found this http://howtoforge.net/forums/showthread.php?p=238105