I would test it by pulling the -f- flag from your .forward file then
sending yourself a similar message.
As I received the very same spam, I did a similar test: telnet to
port 25 on the mail server and sending myself two messages with
mail from:<REVOLUTION MAIL(_at_)990(_dot_)NET>. In the first case, procmail -f-
was invoked through .forward and I observed the same as Rik,
and in the second case, with no .forward, the From_ was "ok"
From "REVOLUTION MAIL(_at_)990(_dot_)NET" <timestamp>.
But, to complicate the issue further, procmail is run by the LDA,
albeit with no flags.