Hello. What's the best way, and second best way to react to zero-day virus threats - messages that are delivered to the mail store before the detection is in place? Is there a best practice that functions nicely within the cyrus community? Like a perl script that traverses the mail store (via imap or cyrus utilities) and checks message content against a antivirus command line? And then safely within the cyrus system deletes the message? I can't do that. I don't have that functionality. Can anyone share code or ideas to help make this happen? The second best I can think of is traverse and locate the storage system from the command line, remove found exploited messages and recontruct ASAP the mailboxes with changes. Here we are working outside of cyrus, so it's discouraged. long line: find /var/spool/imap/user/ -name "*\." -ctime -6h -print0 | xargs -0 clamscan | grep FOUND > badones remove and reconstruct based on file badones. As a related question, if I locate a message in the mail store from command mode, and neuter some aspect of the vulnerability presented by modifying the text of the stored message yet retaining the same message size, are then internal cyrus structures that require updating? I seem to get good results from this, but I'm guessing reconstruct afterwards is best. (and that the idea of modification from the file system is, yes, discouraged). thanks for any thoughts or ideas, John ---- Cyrus Home Page: http://cyrusimap.web.cmu.edu/ Cyrus Wiki/FAQ: http://cyrusimap.web.cmu.edu/twiki List Archives/Info: http://asg.web.cmu.edu/cyrus/mailing-list.html
