Delete Phishing mail detected by ClamAV

thorsten · August 30, 2018, 4:52am

NethServer Version: 7.5
Module: Antivirus

Hi & good morning

Every morning, when I wake up, I have a little look on my nethservers status emails. Are backups OK, any concurrent errors on cron jobs etc. And I also delete the ClamAV report untead - it has detected the same xhundred phishing mails again … like yesterday, and the day before yesterday, and …

Honestly I would not even notice a real thread,

This points me to the question: how can I use the report to find(, review) and delete alle the single emails using SOGo or Thunderbird?

Is the cryptic number

Scanned Folder: //var/lib/nethserver/vmail/mynamr@mydomain.tld/Maildir/.Archive/cur/1531420782.M787151P11387.ebb-s01.mydomain.tld,S=2566,W=2591:2,S: Email.Phishing.DblDom-130 FOUND

somehow searchable? May such operation be somehow automated? Is there any option to move such mails to quarantine as for regular files, too?

TIA
Thorsten

stephdl · September 1, 2018, 5:59am

Try one of my module nethserver-clamscan, it scans the file system and move to quarantine (if enabled) the virus found.

check the wiki

thorsten · September 1, 2018, 8:55am

Hallo Stephane,

Thanky you, very nice module. Got it - and it works nice to move to phishing mails to /var/spool/clamav/quarantine.

But still: I would like to review the mail before deleting finally. Do you think it could work to create an IMAP folder for any user (e.g. using sogo) and copy mails
cp /var/spool/clamav/quarantine/foo /var/lib/nethserver/vmail/myname@mydomain.tld/Maildir/.foo/cur

would it be possible to use doveadm import be suitable for that?

TIA
Thorsten

stephdl · September 1, 2018, 9:02am

email are just files with permissions, I suppose you could create a script to find email (by a grep or find or whatever you want) and set permission to vmail after the cp to the folder

but but at the end of the clamscan, these emails will go again in quarantine…this is a never ending story

stephdl · September 1, 2018, 9:27am

maybe you could exclude the email folder of your specific account, just thinking of it

thorsten · September 1, 2018, 9:32am

yes. you are right, and no, it does not work: SOGo sees that messages exist, but can not display. Dovecot seems to create an index in order to access / view files. These index-files are not created by a simple copy of files.

Again, I have to state a clear mabe as the answer:
Of course you are right, but I am thinking about possible variants:

a link to the files in /var/spool/clamav/quarantine would prevent files from beering rescanned again
implementing a counter script would exceed my little linux knowledge
I do not need an automated system. I just need to review such mails exactly once in case they are moved to quarantine, so what I am looking for might be some more comfortable tool from the command line instead of tail or nano of the respective mail file within quarantine.

TIA
Thorsten