Logwatch file being tagged as a virus file and deleted

Julian Field MailScanner at ecs.soton.ac.uk
Thu Feb 28 19:59:17 GMT 2008

Howard Fleming wrote:
> Mark Sapiro wrote:
>> Howard Fleming wrote:
>>> Is there any way to exclude a email address from being scanned for 
>>> viruses?  For the last 3 days my logwatch file from my mail server 
>>> has been deleted, and I get the following:
>>>     Sender: root at messenger.mideasti.org
>>> IP Address:
>>>  Recipient: hfleming at mideasti.org
>>>    Subject: LogWatch for messenger.mideasti.org
>>>  MessageID: F254D540E8.78B90
>>> Quarantine:
>>>     Report: Clamd:  message was infected: Email.Phishing.DblDom-39 
>>> I have added root at messenger.mideasti.org to 
>>> phishing.safe.sites.conf, but it did not make any difference (or is 
>>> this the right place?).
>> I had the same issue when I first installed Mailscanner. My solution is
>> to put
>> Scan Messages = %rules-dir%/scan.messages.rules
>> in MailScanner.conf and then put
>> From: no
>> FromOrTo: default yes
>> in scan.messages.rules. You may not want to exempt all mail originating
>> from localhost, so you may want a more restrictive rule.
> Hi Mark,
> I added the change, only change I made to the contents of 
> scan.messages.rules was to change
> From: no
> to
> From: root at messenger.mideasti.org no
That's dangerous. All a spammer (or a virus) has to do is set the sender 
address of the message (which is completely under their control) to 
root at messenger.mideasti.org and their messages won't be virus-scanned at 

Not a good idea!

Change it to this instead:
From: root at messenger.mideasti.org and From: no
and that will be a whole lot safer.


Julian Field MEng CITP CEng
Buy the MailScanner book at www.MailScanner.info/store

MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc

This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.

More information about the MailScanner mailing list