Exchange 2010 might allow using the domain/user/mailbox notation for accessing foreign user's mailboxes through IMAP. According to KB937359 this feature was originally removed from Exchange 2007, but re-introduced in SP1 Rollup 4. So it would be worth a try.
There is also DavMail which might be of some help - it gateways standard internet mail protocols through to Exchange over WebDAV or EWS. I have not tried, but accessing other user's mailboxes might work there using the DOMAIN\USERNAME\MAILBOX notation, public folders are apparently accessible as well.
The basic idea how to get the spam mail into SA is to simply set up fetchmail on your Postfix/Amavisd-Box to retrieve it and feed it to sa-learn. Make sure to specify the right database path for sa-learn so your updated bayes database is actually used by amavis. On an Ubunty system the command to do this should look like this:
/usr/bin/fetchmail -a -n -m '/usr/bin/sa-learn --dbpath /var/lib/amavis/.spamassassin' --spam
with your .fetchmailrc containing the necessary information for username, password, mailbox to access and the folder to fetch:
poll your.exchange.server protocol IMAP user "DOMAIN/spamadmin/user1" with password "spamadmin-password" folder "SPAM"
poll your.exchange.server protocol IMAP user "DOMAIN/spamadmin/user2" with password "spamadmin-password" folder "SPAM"
poll your.exchange.server protocol IMAP user "DOMAIN/spamadmin/user3" with password "spamadmin-password" folder "SPAM"
Specifying the -v parameter for the fetchmail command and the -D parameter for sa-learn will give you some debug output. The fetchmail docs contain more useful information and some examples for a working fetchmail configuration.
These SpamAssassin rules matches if A relay in the message's Received headers was listed...
While RCVD_IN_SORBS_WEB works closer to what you'd like them all to do:
check tests the IP address of the last untrusted relay against
the DNSBL maintained by SORBS.
If you don't trust in these tests, you can always adjust rule scores. score RCVD_IN_BL_SPAMCOP_NET 0 doesn't add any score if the test matches, resulting that the test will be completely disabled.
There's no need for Spamassassin to test against only the latest Received: header as this is the Received from your own MTA that could have done the same test and actually rejected the mail from matching IP address instead of marking it as SPAM.
In Postfix main.cf the equivalent recipient restrictions would be:
smtpd_recipient_restrictions =
reject_rbl_client sbl.spamhaus.org,
reject_rbl_client bl.spamcop.net,
reject_rbl_client dnsbl.sorbs.net
And with Exim 4.x in acl_rcpt ACL in the exim.conf:
deny message = Access denied - $sender_host_address\
listed by $dnslist_domain\n$dnslist_text
dnslists = sbl.spamhaus.org : \
bl.spamcop.net : \
dnsbl.sorbs.net
If you use Exim dnslists in warn mode, you could simulate RCVD_IN_* style rules on only the last MTA delivery by adding X-blacklisted-at header
warn message = X-blacklisted-at: $dnslist_domain
dnslists = sbl.spamhaus.org : \
bl.spamcop.net : \
dnsbl.sorbs.net
and then scoring the existence (or content of) that header in Spamassassin instead of RCVD_IN_*:
header LAST_RCVD_BLACKLISTED exists:X-blacklisted-at
score LAST_RCVD_BLACKLISTED 10.0
Please notice that these reject lists might be too wide for what you actually need as for example the dnsbl.sorbs.net is a aggregate zone containing almost all SORBS zones available. Before rejecting or even flagging based on these list you should familiarize yourself with the purpose of each list and decide how aggressive you want to be.
Personally I'd trust SPF, DMARC and Bayesian filtering more and would be really sensitive in trusting DNSBLs, i.e. only using lists with IPs certainly only used for spam, like smtp.dnsbl.sorbs.net for open SMTP relay servers or edrop.spamhaus.org containing "hijacked" netblocks.
Best Answer
If something is being written in to the headers, then the easiest method would be to write a transport rule that sees the header and makes the SCL value 7 or 8. That should put the email in to the end user's junk email folder automatically.