Code for manipulating all messages matching some criteria?
John Wade
jwade at oakton.edu
Tue Oct 22 18:56:32 EDT 2013
Hi Jason,
We have run into this a number of times with various spear phishing
messages. As a result, we cobbled together a total hack. We have a
perl tool that searches the mail spool filesystems, (either inboxes only
or a full recursive search) and then searches and replaces the offending
link or text within the messages. Does not help with clients who cache
the message contents and is not a perfect solution, but has worked when
we have needed it . Since it only touches the contents of messages,
it does not require a reconstruct like nuking the file outside of Cyrus
would. We ended up going through the file system to find the messages
since some of these attacks had a lot of variation of subject, sender
and links and regular expressions are a great tool.
I have been meaning for some time to rewrite this to have it do an IMAP
delete/purge of the offending messages, but have not had the time.
If somebody has a great tool for this that they could share, I would
love to see it.
If anybody really wants our pathetic little hack, I would be happy to
share it.
Hope this helps,
John Wade
Oakton Community College
On 10/22/2013 2:24 PM, Jason L Tibbitts III wrote:
> Recently our campus was hit with a particularly bad targeted trojan
> attach and the IT overlords sent out a demand that we (a small
> department with several hundred mailboxes on our own server) go through
> all user mailboxes and actually delete the offending messages. At least
> using the admin account this is actually kind of reasonable to do.
> While I'm sure I could whip something up if I actually had enough free
> time, I was wondering if anyone had already been through this kind of
> thing and had cobbled together any code to do it.
>
> I see something called imapfilter which might do the trick, but it seems
> to be completely opaque.
>
> - J<
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
More information about the Info-cyrus
mailing list