Maybe have the log emails to an alias the doesn't get scanned?
I realized that all mail from root should be automated stuff coming from the box, never sourced by a human from outside. Anybody have a rule that verifies the message wasn't injected by SMTP from outside? I can whitelist all mail that originated on the box.
