Code for manipulating all messages matching some criteria?

John Wade jwade at
Tue Oct 22 18:56:32 EDT 2013

Hi Jason,

We have run into this a number of times with various spear phishing 
messages.    As a result, we cobbled together a total hack.   We have a 
perl tool that searches the mail spool filesystems, (either inboxes only 
or a full recursive search) and then searches and replaces the offending 
link or text within the messages.   Does not help with clients who cache 
the message contents and is not a perfect solution, but has worked when 
we have needed it .    Since it only touches the contents of messages, 
it does not require a reconstruct like nuking the file outside of Cyrus 
would.   We ended up going through the file system to find the messages 
since some of these attacks had a lot of variation of subject, sender 
and links and regular expressions are a great tool.

I have been meaning for some time to rewrite this to have it do an IMAP 
delete/purge of the offending messages, but have not had the time.     
If somebody has a great tool for this that they could share, I would 
love to see it.

If anybody really wants our pathetic little hack, I would be happy to 
share it.

Hope this helps,
John Wade
Oakton Community College

On 10/22/2013 2:24 PM, Jason L Tibbitts III wrote:
> Recently our campus was hit with a particularly bad targeted trojan
> attach and the IT overlords sent out a demand that we (a small
> department with several hundred mailboxes on our own server) go through
> all user mailboxes and actually delete the offending messages.  At least
> using the admin account this is actually kind of reasonable to do.
> While I'm sure I could whip something up if I actually had enough free
> time, I was wondering if anyone had already been through this kind of
> thing and had cobbled together any code to do it.
> I see something called imapfilter which might do the trick, but it seems
> to be completely opaque.
>   - J<
> ----
> Cyrus Home Page:
> List Archives/Info:
> To Unsubscribe:

More information about the Info-cyrus mailing list