The MTA receives incoming email from external sources (usually the mta.york.ac.uk gateways run by the University), runs some checks on it and routes it to the correct user. In this process it handles delivery to mailing lists and aliases using a series of redirect routers. As the last step mail is run through the Dovecot LDA to process user filters and deliver it to user mailboxes.
Due to the withdrawal of the University's spam and virus filtering on their mail relays in October 2012 (as part of the move to Google Apps), Exim operates spam and virus checking on incoming mail, scanning mail using ClamAV and SpamAssasin when it is first received by the server. One of Exim's Access Control Lists (ACLs) is acl_check_data, which is run immediately after a message is received by the server, before the sender has disconnected. This ACL performs the virus and spam scans, and adds the results to the message headers.
ClamAV is configured to run as a daemon, connecting to Exim through a socket at
/var/run/clamd.exim/clamd.sock using its default configuration. Exim runs the virus scanner on incoming messages via this socket, and any messages are rejected (with a note in the logfile).
Next, Exim connects to the SpamAssassin daemon (spamd) and passes it the message, where it is scanned against the default set of rules. These assign the message spam points based on contents, senders, headers, white/blacklists and Bayesian statistical analysis. The results of this analysis is added to the message in the form of X-Spam-Score and X-Spam-Report headers, where a message with a spam score > 5 is considered spam and has the X-Spam-Flag: YES header added as well. If a message scores >10 it is currently routed to /var/tmp/quarantine and not delivered to the recipient. This will be used to assess whether mail with a score >10 can be safely rejected outright rather than filling up user's mailboxes.
SpamAssassin is configured in /etc/mail/spamassassin/local.cf, which overrides a small number of default configuration options. These overrides change the spam report formatting and has a required_hits line which will change the threshold spam score from 5 for all users.