Hi Jason, We have run into this a number of times with various spear phishing messages. As a result, we cobbled together a total hack. We have a perl tool that searches the mail spool filesystems, (either inboxes only or a full recursive search) and then searches and replaces the offending link or text within the messages. Does not help with clients who cache the message contents and is not a perfect solution, but has worked when we have needed it . Since it only touches the contents of messages, it does not require a reconstruct like nuking the file outside of Cyrus would. We ended up going through the file system to find the messages since some of these attacks had a lot of variation of subject, sender and links and regular expressions are a great tool. I have been meaning for some time to rewrite this to have it do an IMAP delete/purge of the offending messages, but have not had the time. If somebody has a great tool for this that they could share, I would love to see it. If anybody really wants our pathetic little hack, I would be happy to share it. Hope this helps, John Wade Oakton Community College On 10/22/2013 2:24 PM, Jason L Tibbitts III wrote: > Recently our campus was hit with a particularly bad targeted trojan > attach and the IT overlords sent out a demand that we (a small > department with several hundred mailboxes on our own server) go through > all user mailboxes and actually delete the offending messages. At least > using the admin account this is actually kind of reasonable to do. > While I'm sure I could whip something up if I actually had enough free > time, I was wondering if anyone had already been through this kind of > thing and had cobbled together any code to do it. > > I see something called imapfilter which might do the trick, but it seems > to be completely opaque. > > - J< > ---- > Cyrus Home Page: http://www.cyrusimap.org/ > List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ > To Unsubscribe: > https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus ---- Cyrus Home Page: http://www.cyrusimap.org/ List Archives/Info: http://lists.andrew.cmu.edu/pipermail/info-cyrus/ To Unsubscribe: https://lists.andrew.cmu.edu/mailman/listinfo/info-cyrus
