I would suspect the module would analyze because it is my experience that inbound traffic on an interface is decrypted, then ACLs are applied on the decrypted traffic. And as people here have said that the IPS works post ACL, I believe that inbound traffic is processed like this; decryption -> access control -> inspection.
However, you mention spam and I am not sure if you are talking about the IPS modules, as I had thought they did not prevent spam. Although they could prevent some malicious attachments.