> The XBL however, has the "notfirsthop" restriction. It won't match > any messages that have no trusted relays. Based on the debug > output, there were no trusted relays, thus XBL would not have > matched for this reason.
I think I follow this for why it didn't match on initial processing, but I still don't understand why it matched the message *after* I saved it and ran it through spamassassin -t.
Were there any extra Received: headers added after you received it?
