Back to Community Threads
50
Find and Delete Malicious Emails
Idea shared by ScottF - 3/3/2021 at 1:38 PM
Proposed
We had a few cases where a SmarterMail domain was targeted with a phishing message. In some cases hundreds of users receive the phishing message. After the phishing message is reported, we check the logs to find out who received the message and then use the impersonate feature to manually delete the messages.

An investigation tool to delete all the messages at once would be a great add. See Google Workspace's feature: https://support.google.com/a/answer/7581662

41 Replies

Reply to Thread
10
Employee Replied
4/15/2021 at 3:02 PM
Employee Post
Hi Scott,

Thanks for the great feature request! I'm going to get a ticket started so I can get your request over to our development team for consideration.
5
+1 Yes, this would be a really useful feature to help protect users from phishing messages that make it through the spam & virus filters.

Thanks, Emily!
5
Employee Replied
4/15/2021 at 3:13 PM
Employee Post
You're very welcome, kevind!
3
+1
7
+1
and add to that, possibly a way to delete every email from the same IP address too, across all mailboxes.
www.HawaiianHope.org - Providing technology services to non profit organizations, low income families, homeless shelters, clean and sober houses and prisoner reentry programs. Since 2015, We have refurbished over 11,000 Computers !
4
Under the Security page in Server Admin Settings/ SMTP Blocks. It would be great if when you add a domain or email address to block on this list, that the system would give an option to delete from domain inboxes or delete from all domains inboxes.
J. Sebastian Lee Service2Client LLC 6333 E Mockingbird Ste 147 Dallas, TX 75214 - 877.251.3273
2
Would be great also if we could have Content Filtering at the server level, as opposed to just the user, so we could block all future phishing emails, such as the current "This account has been hacked! Change your password right now!" emails, too. Not sure how these are making it through all the anti-spam I have on my box.

Additionally, when a user is reviewing an email, allow them to report it to SM as spam, which would alert the system admin (me) to potentially add it to this server-level Content Filter.
Mik MullerMontague WebWorks
9
Yes. I agree the "Mark As Spam" should be brought back. Please see and vote for this thread:
6
Could have really used this "find and delete" feature yesterday.  Had a phishing email sent to around 300 users with a link to login and upgrade their email.  Fortunately, most people are getting wise to this, but the support team took over 50 inquiries asking questions.  Not sure how many people actually clicked.

With 19 votes, it looks like everyone could use this feature. Please prioritize. Thank you.
1
I have two of those emails hitting pretty much every user on my box. Yes, search and destroy, but also review the IP numbers and if consistent, block them. If distributed, then just Content Filter. And allow for sharing rules with other SM servers, either through ST as a hub, or some sort of simple text-based definition packet that can be posted to a forum thread, copied, and imported by those who want to participate in that thread.

It's pretty embarrassing that we are unable to stop these from reaching our users.
Mik MullerMontague WebWorks
9
Matt Petty Replied
5/13/2021 at 1:06 PM
Employee Post
+1 
Finding related (or same) message across multiple users and deleting them I could see being very powerful. We could use things like message-id, IP, sender, subject, etc paired with our index/searching to create a tool to remove "like" messages from all the users in a domain or server. 
Matt Petty Senior Software Developer SmarterTools Inc. www.smartertools.com
3
Here's a long-shot additional thought: Database the subject of all incoming emails. If a particular subject, ie; "This account has been hacked! Change your password right now!" reaches a threshold of, say, 25 in a day, flag it as spam. If they continue to come in, send them to trash.
Mik MullerMontague WebWorks
1
Problem with matching just by Subject is it would catch items like newsletters, twitter, linkedin updates and banking announcements that have the same subject line and are legitimately sent to many of our users.

I think Matt Petty is definately on the right track. 
2
True. I have an event that emails me whenever an IDS rule is triggered, though. If this new feature were to work within that system, we could be alerted once an email with the same subject were to hit, say, 50 users on the box. Log in to the server, and if it's legitimate newsletter emails just leave it. If it's spam, block it.
Mik MullerMontague WebWorks
3
+1
4
Bump. Hoping this enhancement request with 32 votes is on the short list for 2022!

Thanks!
6
Tim Uzzanti Replied
1/19/2022 at 11:25 AM
Employee Post
You guys really have no idea what your asking for.  The risks associated with crawling a mail server and going into unrelated mailboxes and removing messages.  Have you thought about any of the compliance requirements or issues related to this?  Think about the risks you are adding onto yourself, your company and the risks associated with administrators making mistakes or poor decisions etc.  
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
0
How is this different from how current anti-spam, anti-virus apps work on mail servers? Don't they simply delete emails, too, server-wide, based on their own algorithms?
Mik MullerMontague WebWorks
5
Tim Uzzanti Replied
1/19/2022 at 12:19 PM
Employee Post
Thats spool not mailbox. Touching a users mail is BAD and in some cases illegal.  If you read our 2021 summary email, you see how we have customers all over the world and must follow compliance and legal requirements accordingly.
Tim Uzzanti CEO SmarterTools Inc. www.smartertools.com
2
Touching a users mailbox = BAD.
Taking some of this into consideration in the spool = interesting but requires a lot more thought and possible complexity I think.

For example, if some of these high repetition emails used as examples here were detected on the local server I think we'd need to define "detected" and possibly include, or have the option to include, more than just the subject line.  Even then you may see the attack perpetrated simultaneously from a variety of IP addresses and EHLO's.

Assuming a GUI was developed to allow the admin to set some parameters for this, or perhaps for a number of different conditions, I'd want the option to let the domain and/or the user opt out of the default behavior following such a detection or perhaps chose one of several outcomes.

That get's us back into functionality, covered elsewhere here, as to whether the body of an email is actually altered with some sort of warning header or footer as M365 can do or there is a subject line tag or a deletion or a spam weighting that might trigger deleting or move to the Junk E-Mail folder.

To really be a solution, a selling point and to avoid becoming something that created a lot of support issues I think a lot of thought would need to go into it. and coming to a consensus would be difficult.

I am with Tim on this though.  Simply reaching into the inboxes would likely be perilous and be a great attack surface for a competitor trying to sell against ST by pointing out that it fundamentally violated a variety of requirements in a number of jurisdictions.
SmarterMail(tm) MAPI over HTTP - Let's flesh it out for Outlook with a full set of Exchange like features!
3
Tim, I understand the compliance issue. I know SmarterTools is a big company. I would say Microsoft is bigger.

Here is a page from their site that shows how to do it. I get the implications but if you have a known virus, malware, phishing that is in people's inboxes the only choices are (1) email the users and ask them to do that, (2) automation, or (3) hope the users don't fall for it and click. I'm sure there are but to me removing it is the only way that guarantees this. This would be up to each company to do and a policy should be in place to make certain that it is allowed. I know I have done this back in Exchange 2010 when a phishing attack hit a mail server.


And another document that shows how to do it under Exchange.
2
Totally agree that this is not an easy problem. I just saw it as an opportunity for improvement. Google was able to implement a mitigation feature with their premium edition: https://support.google.com/a/answer/7581662

Again, just thought it would be worth exploring some options. A targeted phishing attack on a domain with hundreds of users can turn into an all day project. 
2
This would be covered under the Spam Button concept, discussed elsewhere in the forums.

If there were a way to feed a server database of emails our users have marked as spam, and the server were to see many, many copies of the same email come in to other users, there would be some leverage to apply there, especially if that were to also feed into a ST centrally-located database, fed by SM admins who want to help feed the tool.

One email I'd love to stop in its tracks is the Domain Authority of America and all its variants. three of my customers have been fooled by the official-looking email and sent them money... never to be seen again.
Mik MullerMontague WebWorks
3
Bump after 5.5 months as this request came up in another thread...
3
Bump for 2023. Just had a phishing attack to our domain that didn't get tagged as spam because it was from a legitimate mailbox. Unfortunately, people fall for the urgency and click the link which takes them to a fake login screen where they enter their password.

This feature would allow us to proactively remove the message. Or as a compromise, allow us to move it to the users' Junk Email folder.
2
what if you follow this concept but instead of deleting the mail or moving it to junk after manually tagging such a threatening mail, for example, you add a note at the top of the mail like:

The system administrators have classified this message as a threat with the intention of obtaining personal information from you for misuse purposes.

Would that at best solve the problem with compliance?
Maybe you could specify like different types of classification and then let the administrator select this via a dropdown list:

- SPAM
- Phishing
- malware

After that maybe select which measure is taken like:
- Include hint text to mail
- Include message text in mail and move it to junk mail
- Move to junk only

Thank you and greetings
1
Roger:
It is great that people are contributing here.  I definitely appreciate that.
I do still worry about changing anything in the body.
Assuming ST could recalculate and also hack the signature so that the integrity check passes on signed emails I think it opens up some potential problems legally.  It also has the potential to create a nightmare scenario during an SM update where all of the email in all of the domains fail to pass on a bug slipping through.

In general, if we were going to take these chances I think it should be something that can be enabled/disabled at the domain level if not even the user level.

I see value in them but I'm not sure the value outweighs the risk.
SmarterMail(tm) MAPI over HTTP - Let's flesh it out for Outlook with a full set of Exchange like features!
1
True, but something could be done. ST has a central server that is checked frequently for maintenance subscriptions, so a central source DB with these spam rules could be pushed out to our own SM installs. A private, home-rolled anti-spam network.

Leverage what you got.
Mik MullerMontague WebWorks
0
Yes, and we'd probably take a good look at something like that if ST head down that path and like the Leverage what you got comment although I think it would be a big load on something designed as a licensing server and also require a lot more code around it to deal with false positives or screening but if ST did take it on we'd certainly look at it, even as an add-on.

We have something similar now based upon an even larger base of user experience using Message Sniffer vectored using Declude.  
SmarterMail(tm) MAPI over HTTP - Let's flesh it out for Outlook with a full set of Exchange like features!
0
I have both those products. Are there settings or anything I should be looking for in terms of handling this issue?
Mik MullerMontague WebWorks
7
Bump for April. This would be a great feature to have in today's world with all the phishing going on.

When a malicious email comes into a domain, give the admin the ability to locate all copies of that message and either delete or move to Junk folder.
5
UP...
6
Bump for 2024. We had a phishing attack this past weekend targeting users on our SmarterMail server. This feature with 43 votes would have been nice to have...

Could have caught it early and extracted the message preventing a few users from clicking the link and giving away their password. Now most users get that it's phishing, but they still forward it to Support asking if it's real or warning us about it, so still causes extra work.
3
Could this be a domain admin level feature? Leave it to the domain admin to decide. Is it really any different from a domain admin impersonating accounts and removing mail via impersonation?
1
So I don't think it necessarily has to be that these threat reports etc. come from ST. Perhaps this can simply be optionally activated and deactivated in the spam filters.

I think the function that you can add an inlay text to dangerous mails or delete them across mailboxes should be a domain admin function but also a system admin function. As a system admin, you can grant the domain admin this option or prevent it in the domain settings.
4
+1 for this feature.  Exchange (cloud and on-prem) has had the mass-delete feature for years, and we've used it often to kill very-believable phishing attempts... and a few emails from a certain C-suite dweller who's been guilty of carelessly sending highly sensitive emails to (what she thought was) a singular recipient, but whose name starts with the same first few letters of the all-users distribution group.
 
4
@echoDreamz -- good point about impersonation. We already have the capability to do this, but it's cumbersome removing one message at a time.

Request the ability to search all mailboxes for the phishing message and delete all occurrences (or move to Junk folder if that's required for compliance).
1
@EchoDreams  "Could this be a domain admin level feature?" 

I don't think that would work, at least for me. We host 150 domain names (450 accounts), and I think maybe four of them take advantage of their Domain Admin status. The rest of our users have no idea what or how to do anything related to email. They rely on me for their email health and safety, while occasionally complaining to me about spam and phishing. I do what I can for everyone, but email is not my main business. It's actually a bit of a loss leader. We do it as a value-add. 

So, having a private email server that is already networked with hundreds (thousands?) of other deployments of the same server platform makes me think there are some possibilities in terms of managing large blasts of spam hitting them.
Mik MullerMontague WebWorks
5
Request that this idea with 44 votes (#1 in the community) get added to SmarterMail.  Phishing and other attacks are going rampant and this would give us the ability to remove these messages before the user clicks on the link and gives away sensitive information.

Both Google Workspace and Microsoft Office365 have this feature.  Although the Microsoft search and purge action is limited to 50,000 mailboxes. :-)

Simply allow the Server Admin to specify the Date and the Subject of the message. Then search, display the results with all the users who received it, and allow the Admin to permanently delete (or move to trash/junk). If you think there's a compliance issue, the ability to just remove the hyperlink or sensitive data would be acceptable.

Thanks!
Kevin
3
Just about every week a phishing email gets past the spam filters and is delivered to  our users. We really need a way to identify the users who received it, then do remediation like deleting the message or moving it to spam.

Google has had this feature for years. Office365 has it too:

This is the #1 most requested feature in the community with 46 votes. Please add it to SmarterMail so we can help protect our users.

Thanks,
Kevin
0
Just started looking at feasibility of writing it myself using the API.    
As you loop through each domain and each user (not shown), you would need to use this query to find applicable messages, setting the current account into the "ownerEmailAddress: field.   I think I would limit search to Inbox folder for performance reasons.

I have attempted to elaborate on the sketchy documentation by inserting possible values for lists and dictionaries, using Python syntax:  {} for dicitionaries and [] for lists.   Several of the options would not apply to this type of search (CategoryFilter,skip,take,selectedUIDs)

What I don't understand is how to use the "query" parameter, as it seems redundant.  Can someone explain that item, or generally help with ensuring that the syntax is correct on first try?

Doug


response.post(
url=Base+"api/v1/mail/messages"
, auth="value"
,json=
{
"query": text,
"includeSubFolders": False,

"fieldsToSearch": (
    "None",
    "From",
    "To",
    "Subject",
    "Body",
    "Date",
    "Cc",
    "Header",
    "Uid",
    "Bcc"
    ),

"searchFieldValueMap": {
    "From": "value", 
    "To": "value", 
    "Subject" : "value",
    "Body" : "value",
    "Date" : "value",
    "Cc"   : "value",
    "Header" : "value",
    "Uid"  : "value",
    "Bcc"  : "value",
    },
# Note that values should only be supplied for fields that are in the FieldsToSearch list


"searchFlags": {
    "Read" : False,
    "Replied" : False,
    "Forwarded" : False,
    "Deleted" : False,
    "Flagged" : False,
    "Draft" : False,
    "Recent" : False,
    "hasAttachment" : False,
    "linkedToTask"" : False
    },

"messagesSince": date,
"messagesBefore": date,

"maxSizeInBytes": number,
"minSizeInBytes": number,

"useContentFieldOnly": boolean,

"experimentalSpeedup": boolean,

"oR": boolean,

"categoryFilter": { 
    "filteredCategories": [ text ... ],
    "includeNoCategory": boolean
   },

"ownerEmailAddress": text,    // An identifier for the person sharing the item.

"folder" : "Inbox",        // The name of the folder.

"skip": 0,        // The starting index for the data items being requested.
"take": number,        // Total count of emails being requested.
"selectedIds":  [ number ... ] , // A list of email UIDs that are currently selected.

"sortType": (
    "Date",
    "Size",
    "Subject",
    "From",
    "To",
    "InternalDate",
    "Attachment"
    ),    // The sorting filter that should be applied.

"sortAscending": boolean// Flag used to determine if a list should be ascending or descending order.
}
)
Back to Community Threads

Reply to Thread

Enter the verification text

Related Knowledge Base Articles

Cannot Delete Email FolderSmarterMail > Troubleshooting
Upgrading SmarterMail (Domain Conversion)SmarterMail > Installation and Configuration
Steps to Fix "UID of a message changed" Error When Using IMAPSmarterMail > Troubleshooting
Conference Room Conflicts and ResolutionSmarterMail > Troubleshooting
Google Safe Browsing Warning and SmarterMailSmarterMail > Troubleshooting