Message Search page, additional possibilities request
-
Hello everyone
Imagine the following situation. Malicious actor composes well falsified, phishing message, researches company site and collects email addresses. Then emails simultaneously that message to dozen mailing lists each having 5 or more users and to quite a few individual users. Message makes its way through the gateway, then through MDaemon. Some of the users are on the multiple lists, so they've received 4 or 5 copies, some got none.
And now admin have at least 60 - 70 messages to dispose of.This is the type of situation I face with increasing frequency. Various "incoming messages waiting"/"file uploaded for you to cloud storage"/"your package had incorrect address, please logon and correct in order to get it"... messages are getting through Hosted Gateway/MDaemon spam control and I need to remove these from the mail storage as soon as I can (while answering users calls asking me if these are genuine and what to do with them).
Please don't get me wrong, this is not a criticism. Some of those phishing messages are exceptionaly well crafted and sent in the way none of the protections are triggered (and we have everything enabled with pretty restrictive spam score settings, plus Hosted Security Gateway)
We have admin as a member in all of the mailing lists, so I have pretty good overview of those. Copies sent to individuals... the other story.
Anyway, Message Search page in Remote Administration is of great help in battling situations like the one described above. It would be even better if I could move/delete messages from that page directly. It would be even greater help if search could be made by complete domain (not only by individual user mailbox) or even by total mail storage.Yes, I'm aware of potential problems with feature this powerfull, but every minute more malicious content remain in users inboxes, more chance to get even bigger problems.
Just a suggestion
Regards
-
Arron Staff
I've added searching by domain and the ability to delete messages to the wishlist.
Would you be willing to share some of those messages with us? I'd like to see if we can improve our filtering. https://mdaemon.sharefile.com/r-r77d4332c21ab4a28afe9e84ea94e2f3c
Another option for searching and removing messages from the mail store is using a powershell script. If you don't have to decode strings its a simple as:
(Get-ChildItem -path C:\mdaemon\users\ -filter *.msg -Recurse | Select-String -Pattern "test") | Remove-Item -Force -Confirm
If you are not familiar with powershell, you can remove the -confirm on the end and it will just delete the messages without asking.
This will work great for finding email addresses of the sender, or searching subjects and bodies that are not encoded, but if you have to decode a string it gets more complicated.
-
Hello @Arron
I've added searching by domain and the ability to delete messages to the wishlist.
Great, thank you
Would you be willing to share some of those messages with us?
Uploaded those i have on-hand at the moment. May I use this same link to upload in the future, in case I run into something more drastic?
Another option for searching and removing messages from the mail store is using a powershell script
I will have try this, but have to find a little more time.
Thank you
Regards
-
Arron Staff
Uploaded those i have on-hand at the moment. May I use this same link to upload in the future, in case I run into something more drastic?
Yes, its a static link we use for all customer uploads. Just give us a heads up when you upload something.
-
Just give us a heads up when you upload something.
Understood. Here in the Forum or directly by email?
-
Arron Staff
Here in the Forum or directly by email?
Either is fine.
We are going to make some adjustments on our server to try to better detect the samples you provided.
-
MDaemon v24.0
[27517] Added a Delete button on the Message Search page at Messages and Queues | Message Search. Admins can now delete messages from a user's mailbox.
[27518] Added the ability for global admins to search all mailboxes in a given domain for specific messages at Messages and Queues | Message SearchWorks great.
Thank you!