1

Topic: Manually move phishing or malware messages to spam folder (or delete)

==== REQUIRED BASIC INFO OF YOUR IREDMAIL SERVER ====
- iRedMail version (check /etc/iredmail-release):
- Deployed with iRedMail Easy or the downloadable installer? downloadable
- Linux/BSD distribution name and version:
- Store mail accounts in which backend (LDAP/MySQL/PGSQL): LDAP
- Web server (Apache or Nginx):
- Manage mail accounts with iRedAdmin-Pro? Yes
- [IMPORTANT] Related original log or error message is required if you're experiencing an issue.
====
Hi.
Sometimes phishing or messages with malware attachment get into Inbox. Currently we are doing this manually with the following procedure:

We monitor specific accounts that get a lot of those messages or customers report themselves.

First we search for all the users with the problematic message. Often searching with "subject" is enough, sometimes we add "from" or "message-id", but we always put it into specific period with "before" and "since" (they normally arrive the same day or same hour).

sudo -u vmail doveadm search -A mailbox INBOX subject 'Pošiljanje spremnega naročila št. 20240403-70611'  BEFORE 2024-03-05 SINCE 2024-03-03

sudo -u vmail doveadm search -A mailbox INBOX subject 'račun za preverjanje!'  from "@smartr.me" HEADER message-id "@85.214.121.223" BEFORE 2022-10-04 SINCE 2022-10-03

Because we were not comfortable executing command for moving messages on all users, we decided to do it more "safely" and extract users from above command:

sudo -u vmail doveadm search -A mailbox INBOX subject 'Pošiljanje spremnega naročila št. 20240403-70611'  BEFORE 2024-03-05 SINCE 2024-03-03 > messages.txt
cat messages.txt  | awk "{ print \$1 }" | uniq > users.txt

Then we execute command to move messages based on search query for those specific users (don't judge, I know the step for extracting users is not necessary, but for us it seems a more safe way)

sudo -u vmail doveadm move -F users.txt Junk mailbox INBOX subject 'Pošiljanje spremnega naročila št.'  BEFORE 2024-03-05 SINCE 2024-03-03
 

And yes, we could do "sudo -u vmail doveadm expunge ...", but again, we are not comfortable just deleting messages, so we decided to use "move to junk".

Now my question is, is it possible to implement some sort of similar function in iRedAdmin-Pro, so we could analyze specific messages that went into Inbox and then move them to Junk folder or delete it for all mailboxes that received that message - safely.

Or does anybody have different and better way of handling such scenarios?

And if you are wandering, yes, we have permission from our customers to manually analyze and remove suspicious messages in their accounts.
Thank you!

----

Spider Email Archiver: On-Premises, lightweight email archiving software developed by iRedMail team. Supports Amazon S3 compatible storage and custom branding.