Logwatch file being tagged as a virus file and deleted
Julian Field
MailScanner at ecs.soton.ac.uk
Thu Feb 28 19:59:17 GMT 2008
Howard Fleming wrote:
>
>
> Mark Sapiro wrote:
>> Howard Fleming wrote:
>>
>>> Is there any way to exclude a email address from being scanned for
>>> viruses? For the last 3 days my logwatch file from my mail server
>>> has been deleted, and I get the following:
>>>
>>> Sender: root at messenger.mideasti.org
>>> IP Address: 127.0.0.1
>>> Recipient: hfleming at mideasti.org
>>> Subject: LogWatch for messenger.mideasti.org
>>> MessageID: F254D540E8.78B90
>>> Quarantine:
>>> Report: Clamd: message was infected: Email.Phishing.DblDom-39
>>> FOUND
>>>
>>> I have added root at messenger.mideasti.org to
>>> phishing.safe.sites.conf, but it did not make any difference (or is
>>> this the right place?).
>>
>>
>> I had the same issue when I first installed Mailscanner. My solution is
>> to put
>>
>> Scan Messages = %rules-dir%/scan.messages.rules
>>
>> in MailScanner.conf and then put
>>
>> From: 127.0.0.1 no
>> FromOrTo: default yes
>>
>> in scan.messages.rules. You may not want to exempt all mail originating
>> from localhost, so you may want a more restrictive rule.
>>
>
> Hi Mark,
>
> I added the change, only change I made to the contents of
> scan.messages.rules was to change
>
> From: 127.0.0.1 no
>
> to
>
> From: root at messenger.mideasti.org no
That's dangerous. All a spammer (or a virus) has to do is set the sender
address of the message (which is completely under their control) to
root at messenger.mideasti.org and their messages won't be virus-scanned at
all.
Not a good idea!
Change it to this instead:
From: root at messenger.mideasti.org and From: 127.0.0.1 no
and that will be a whole lot safer.
Jules
--
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store
MailScanner customisation, or any advanced system administration help?
Contact me at Jules at Jules.FM
PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
PGP public key: http://www.jules.fm/julesfm.asc
--
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.
More information about the MailScanner
mailing list