Message being scanned that shouldn't be.
mark at msapiro.net
Wed Aug 12 23:21:35 IST 2009
My daily logwatch report got quarantined today as being infected with
This in itself is not surprising except that it should not be scanned
I have a ruleset for Scan Messages. I know that this is an all-match
rule set so it can be tricky, but this is reasonably straightforward.
It has a bunch of 'no' rules including several of the form
From: 127.0.0.1 no
to exempt all local interfaces. It has a few other 'no' rules, but
other than the default
FromOrTo: default yes
There is only one 'yes' rule
To: /regexp/ yes
and there's no way the regexp matched this mail.
The message was the output of a cron and delivered directly to Postfix
by cron as root. The Mailscanner virus report contains
Sender: root at sbh16.songbird.com
IP Address: 127.0.0.1
Recipient: root at sbh16.songbird.com
Subject: Logwatch for sbh16.songbird.com (Linux)
Report: Clamd: message was infected: Email.Phishing.DblDom-124
I tried resending the message from the quarantine with
sendmail -t <
with the same result.
I think I would have noticed if this had been going on for long. On Aug
5 I upgraded from 4.78.3 to 4.78.7, and before that from 4.78.2 to
4.78.3 on July 31. It happens under both 4.78.7 and 4.78.8 with this
one message. At least some other locally originating messages
including a test sent in the same way are properly not scanned.
Is it possible that the rearrangement of the virus/spam scanning code
in 4.78.3 et. seq. is allowing messages to be virus scanned even if
Scan Messages is 'no'?
Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
San Francisco Bay Area, California better use your sense - B. Dylan
More information about the MailScanner