Message being scanned that shouldn't be.

Mark Sapiro mark at
Wed Aug 12 23:21:35 IST 2009

My daily logwatch report got quarantined today as being infected with

This in itself is not surprising except that it should not be scanned
at all.

I have a ruleset for Scan Messages. I know that this is an all-match
rule set so it can be tricky, but this is reasonably straightforward.
It has a bunch of 'no' rules including several of the form

From: no

to exempt all local interfaces. It has a few other 'no' rules, but
other than the default

FromOrTo: default yes

There is only one 'yes' rule

To: /regexp/ yes

and there's no way the regexp matched this mail.

The message was the output of a cron and delivered directly to Postfix
by cron as root. The Mailscanner virus report contains

    Sender: root at
IP Address:
 Recipient: root at
   Subject: Logwatch for (Linux)
 MessageID: CCA5E6900BD.A6A51
Quarantine: /var/spool/MailScanner/quarantine/20090812/CCA5E6900BD.A6A51
    Report: Clamd:  message was infected: Email.Phishing.DblDom-124

I tried resending the message from the quarantine with

sendmail -t <

with the same result.

I think I would have noticed if this had been going on for long. On Aug
5 I upgraded from 4.78.3 to 4.78.7, and before that from 4.78.2 to
4.78.3 on July 31. It happens under both 4.78.7 and 4.78.8 with this
one message. At least some other locally originating messages
including a test sent in the same way are properly not scanned.

Is it possible that the rearrangement of the virus/spam scanning code
in 4.78.3 et. seq. is allowing messages to be virus scanned even if
Scan Messages is 'no'?

Mark Sapiro <mark at>        The highway is for gamblers,
San Francisco Bay Area, California    better use your sense - B. Dylan

More information about the MailScanner mailing list