deleting emails directly

[John Wade]

We wrote a tool to deal with mass spear phishing attacks that were not 
successfully blocked by our anti-spam appliances.   ( On the antivirus 
note, we scan email three different ways, with the next gen firewall, 
with the antispam appliance, and then on the desktops when mail is 
accessed.  Due to the lag in creating patterns, we still occasionally 
find thunderbird cache files with malware in them on overnight scans. )

The tool  we wrote for phishing scans the Cyrus imap server's imap spool 
file systems looking for a specific text string in specific user's 
mailboxes in recent messages.  Te search can be done either recursively 
or just the inbox.    It then looks for and replaces another specific 
text string (usually the phishing URL) with a string, like "Phishing URL 
removed by the Information Technology department".   Finally, if you 
pass it the delete option, it will make the IMAP calls to log into the 
mailbox and issue the IMAP delete to delete the message.

This avoids the need to reconstruct the mailbox, gets the message out of 
users IMAP caches and is clean.   If for some reason we do not want to 
delete the message, the search and replace can sanitize it.

Can send you the script if you are interested.

John


On 3/4/2015 4:04 AM, hw wrote:
> Hi,
>
> can I remove or delete emails from the imap directory directly (with rm)
> without screwing things up?
>
> I'm running a virus scan over the spool directory and wonder how to get
> those messages removed within which a virus has been found.  The easiest
> way would be to let the virus scanner do this, and the virus scanner
> doesn't use IMAP.
> ----
> Cyrus Home Page: http://www.cyrusimap.org/
> List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/
> To Unsubscribe:
> https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus