Message being scanned that shouldn't be.

[Mark Sapiro]

My daily logwatch report got quarantined today as being infected with
Email.Phishing.DblDom-124.

This in itself is not surprising except that it should not be scanned
at all.

I have a ruleset for Scan Messages. I know that this is an all-match
rule set so it can be tricky, but this is reasonably straightforward.
It has a bunch of 'no' rules including several of the form

From: 127.0.0.1 no

to exempt all local interfaces. It has a few other 'no' rules, but
other than the default

FromOrTo: default yes

There is only one 'yes' rule

To: /regexp/ yes

and there's no way the regexp matched this mail.

The message was the output of a cron and delivered directly to Postfix
by cron as root. The Mailscanner virus report contains

    Sender: root at sbh16.songbird.com
IP Address: 127.0.0.1
 Recipient: root at sbh16.songbird.com
   Subject: Logwatch for sbh16.songbird.com (Linux)
 MessageID: CCA5E6900BD.A6A51
Quarantine: /var/spool/MailScanner/quarantine/20090812/CCA5E6900BD.A6A51
    Report: Clamd:  message was infected: Email.Phishing.DblDom-124


I tried resending the message from the quarantine with

sendmail -t <
/var/spool/MailScanner/quarantine/20090812/CCA5E6900BD.A6A51
/message

with the same result.

I think I would have noticed if this had been going on for long. On Aug
5 I upgraded from 4.78.3 to 4.78.7, and before that from 4.78.2 to
4.78.3 on July 31. It happens under both 4.78.7 and 4.78.8 with this
one message. At least some other locally originating messages
including a test sent in the same way are properly not scanned.

Is it possible that the rearrangement of the virus/spam scanning code
in 4.78.3 et. seq. is allowing messages to be virus scanned even if
Scan Messages is 'no'?

-- 
Mark Sapiro <mark at msapiro.net>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan