1

Topic: Searching and deleting phishing emails

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):  1.6.2
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version: CentOS
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx): Nginx
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hello,
we get quite a lot of phishing emails that come from hijacked legal email accounts so they easily go through the filters and they arrive into users inbox.
Currently we are doing manual procedure of searching and deleting emails from the whole server.

- We get phishing emails into our collector account
- We check the content and manually set the search parameter based on it
- We search for emails for all account based on from, subject, date, message-id and also body (but this takes a long time)
for example:

sudo -u vmail doveadm search -A mailbox INBOX subject 'Preverjanje računa !'  from "nkbm" BEFORE 2022-11-25 SINCE 2022-11-24
sudo -u vmail doveadm search -u specific_user@domain.com mailbox INBOX subject 'račun za preverjanje!'  from "@smartr.me" HEADER message-id "@85.214.121.223" BEFORE 2022-10-04 SINCE 2022-10-03

- We check the search results if the are really phishing emails
- We delete or put into spam
example:

sudo -u vmail doveadm expunge -A mailbox INBOX subject "račun za preverjanje" from "@smartr.me"

or we do a little more secure way, by only doing move or expunge on users that were in search results

sudo -u vmail doveadm move -F 24_11_2022_users.txt Junk mailbox INBOX subject 'Preverjanje računa !'  from "nkbm" BEFORE 2022-11-25 SINCE 2022-11-24

Now my question is if it is possible to implement some way fighting phishing emails into iRedAdmin-Pro, at least some way of securely deleting phishing emails from all the email accounts.
This cannot be fully automatic, but we could get a lot of steps down if we provide admins a simple way to identify phishing and then search for similar messages, verify them and in the end delete or move to spam.
Or how do we implement more advanced protection against phishing emails?

Thank you very much!
Slovenka

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.

2

Re: Searching and deleting phishing emails

Yes and no.

- iRedAdmin-Pro is running as non-privileged "iredadmin" system user, it doesn't have privilege to run shell command like "doveadm" (which requires either "vmail" or "root" user permission).
- Dovecot can run doveadm as a HTTP API, iRedAdmin-Pro can communicate with it via http requests. https://doc.dovecot.org/admin_manual/doveadm_http_api/

The upcoming product we're working on, iRedMail Pro (https://docs.iredmail.org/pro.html DRAFT), has such potential to achieve this feature because it runs as root first, forks a daemon service for iRedMail deployment / update / upgrade, then drops privilege to a non-privileged user for web service. We can fork one more daemon as root user for a lot more operations, including running shell commands, e.g. "doveadm".