We wrote a tool to deal with mass spear phishing attacks that were not successfully blocked by our anti-spam appliances. ( On the antivirus note, we scan email three different ways, with the next gen firewall, with the antispam appliance, and then on the desktops when mail is accessed. Due to the lag in creating patterns, we still occasionally find thunderbird cache files with malware in them on overnight scans. )
The tool we wrote for phishing scans the Cyrus imap server's imap spool file systems looking for a specific text string in specific user's mailboxes in recent messages. Te search can be done either recursively or just the inbox. It then looks for and replaces another specific text string (usually the phishing URL) with a string, like "Phishing URL removed by the Information Technology department". Finally, if you pass it the delete option, it will make the IMAP calls to log into the mailbox and issue the IMAP delete to delete the message. This avoids the need to reconstruct the mailbox, gets the message out of users IMAP caches and is clean. If for some reason we do not want to delete the message, the search and replace can sanitize it. Can send you the script if you are interested. John On 3/4/2015 4:04 AM, hw wrote: > Hi, > > can I remove or delete emails from the imap directory directly (with rm) > without screwing things up? > > I'm running a virus scan over the spool directory and wonder how to get > those messages removed within which a virus has been found. The easiest > way would be to let the virus scanner do this, and the virus scanner > doesn't use IMAP. > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
