The dspam ebuilds sets 770 chmod on the /var/log/dspam directory, so errors can be logged even if users invoke the setgid dspam binary: diropts -m0770 -o dspam -g dspam dodir "${DSPAM_LOGDIR}" dspam itself then also creates 660 'dspam.log' files. However, if the default logrotate script is used, the empty dspam.log files that are created are 664. This will disable logging for non-dspam users, and allows reading for others (why?). I propose the logrotate file to read: ... create 0660 dspam dspam ...
Actually copytruncate is the right way of doing it. Fixed in dspam-3.8.0-r13.