Logwatch being marked as virus

Jules Field MailScanner at ecs.soton.ac.uk
Mon Aug 17 21:11:13 IST 2009



On 17/08/2009 19:52, Jim Wirtz wrote:
> Thanks Gleen....
>
> That fixed it!.. took a couple trys before I realized this was where I
> wanted NO as the final option.
> That No I didn't want it scanned, but yes to the default action.
>
> /etc/MailScanner/rules/virus.scanning.rules
>
> FromOrTo:       root at thismachine.com no
> From0rTo:       reports at anothermachine.com no
> FromOrTo:       default         yes
>    
Doing it by email address it dangerous. If some attacker sends you mail 
with the envelope sender address set as root at thismachine.com then it 
won't get scanned, regardless of where it came from.
A sender can set the sender address to anything they like, it has no 
effect on the delivery of the message.
So don't do this, do it by IP address, such as
From: 127.0.0.1 no
so you don't scan mail originating from the localhost itself.

>
> -----Original Message-----
> From: mailscanner-bounces at lists.mailscanner.info
> [mailto:mailscanner-bounces at lists.mailscanner.info] On Behalf Of dnsadmin
> 1bigthink.com
> Sent: Monday, August 17, 2009 1:03 PM
> To: MailScanner discussion
> Subject: RE: Logwatch being marked as virus
>
> At 01:54 PM 8/17/2009, you wrote:
>    
>> The logwatch reports are coming from the localhost (same machine) and 3
>> other machines.
>> MailScanner is not allowing them to send the logwatch report, just marks it
>> as a virus.
>>
>> /etc/MailScanner/rules/spam.whitelist.rules
>>
>> FromOrTo:       root at thismachine.com yes
>> From0rTo:       reports at anothermachine.com yes
>> FromOrTo:       default         no
>>
>> I'm generating the logwatch report on "thismachine.com" and attempting
>> To send to " reports at anothermachine.com".
>>
>> I have clamav as the virus program. The virus it is finding is part of the
>> phising report info.
>>      
> -Snip-
>
> You are using the spam.whitelist rules, which are behaving themselves
> just fine. Use the virus scanning rules to whitelist. I had the same
> problem. Fixed!
>
> Cheers,
> Glenn
>
>
>    

Jules

-- 
Julian Field MEng CITP CEng
www.MailScanner.info
Buy the MailScanner book at www.MailScanner.info/store

Need help customising MailScanner?
Contact me!
Need help fixing or optimising your systems?
Contact me!
Need help getting you started solving new requirements from your boss?
Contact me!

PGP footprint: EE81 D763 3DB0 0BFD E1DC 7222 11F6 5947 1415 B654
Follow me at twitter.com/JulesFM and twitter.com/MailScanner


-- 
This message has been scanned for viruses and
dangerous content by MailScanner, and is
believed to be clean.



More information about the MailScanner mailing list