Spamassassin letting spam in only for 1 account

I have a hosted email service with Spamassassin running. We are using a site-wide bayes filter. We have 20 users. Email filtering works fine for all of the users, except 1 email address. This user gets a ton of spam every day. A portion of that spam does work correctly and is sent to his spam folder. But a large portion is getting thru to his inbox.

Now for the weird part. The spam that gets through to his inbox has it's header re-written to include ***SPAM***. It's like sa is checking this message twice. The first time it marks it as spam and changes the header, but the second time it says it's ok and sends it through. I posted the header info below so you can see what the email header looks like. I have removed some of the info for privacy. Thanks in advance for the help!

Return-path: <equilibrator@timewhenhead.top>
Envelope-to: user@domain.com
Delivery-date: Wed, 24 Aug 2016 18:20:52 +0000
Received: from [85.93.14.210] (port=33725 helo=timewhenhead.top)
by server.domain.com with esmtp (Exim 4.87)
(envelope-from <equilibrator@timewhenhead.top>)
id 1bccnB-0005tA-39
for user@domain.com; Wed, 24 Aug 2016 18:20:52 +0000
Message-ID: <97995766087393942@timewhenhead.top> 
From: "Erectile Booster" <equilibrator@timewhenhead.top> 
Date: Wed, 24 Aug 2016 12:19:05 -0600 
To: "user" <user@domain.com> 
X-Spam-Status: no, score=0.6 required=5.0 tests=BAYES_99 
Content-type: multipart/alternative; boundary="76KR77.XMOO7Y7.L29.LD.260.78L.96P";
X-Spam-Status: Yes, score=41.5
X-Spam-Score: 415
X-Spam-Bar: +++++++++++++++++++++++++++++++++++++++++
X-Spam-Report: Spam detection software, running on the system "server.domain.com",
has identified this incoming email as possible spam. The original
message has been attached to this so you can view it or label
similar future email. If you have any questions, see
root\@localhost for details.
Content preview: It appears HTML is disabled in your email reader. Please click
the link below for your message: http://timewhenhead.top/208f5e0ca7b60ac60263f6e056fe1b05_19e5bd57-010101010001/1/1505
That's right, you have been outright lied to for over 10 years now... [...]
Content analysis details: (41.5 points, 5.0 required)
pts rule name description
---- ---------------------- --------------------------------------------------
0.0 URIBL_BLOCKED ADMINISTRATOR NOTICE: The query to URIBL was blocked.
See
http://wiki.apache.org/spamassassin/DnsBlocklists#dnsbl-block
for more information.
[URIs: timewhenhead.top]
8.5 URIBL_DBL_SPAM Contains a spam URL listed in the DBL blocklist
[URIs: timewhenhead.top]
4.4 RCVD_IN_BRBL_LASTEXT RBL: No description available.
[85.93.14.210 listed in bb.barracudacentral.org]
3.3 RCVD_IN_SBL_CSS RBL: Received via a relay in Spamhaus SBL-CSS
[85.93.14.210 listed in zen.spamhaus.org]
0.1 URIBL_SBL_A Contains URL's A record listed in the SBL blocklist
[URIs: timewhenhead.top]
10 BAYES_99 BODY: Bayes spam probability is 99 to 100%
[score: 1.0000]
-0.0 SPF_HELO_PASS SPF: HELO matches SPF record
-0.0 SPF_PASS SPF: sender matches SPF record
0.0 HTML_MESSAGE BODY: HTML included in message
10 BAYES_999 BODY: Bayes spam probability is 99.9 to 100%
[score: 1.0000]
0.6 KAM_ADVERT2 RAW: This is probably an unwanted commercial email...
1.8 PYZOR_CHECK Listed in Pyzor (http://pyzor.sf.net/)
0.7 MIME_HEADER_CTYPE_ONLY 'Content-Type' found without required MIME
headers
2.0 RDNS_NONE Delivered to internal network by a host with no rDNS
0.0 T_REMOTE_IMAGE Message contains an external image
X-Spam-Flag: YES
Subject: ***SPAM*** You have been lied to for 10 years... 
X-From-Rewrite: unmodified, no actual sender determined from check mail permissions