After working out a good method of accessing multiple Icedove profiles,
combining multitudes of emails into one grand filesystem, and then finding
one nasty little email that insinuates itself into any folder into which I
move any emails, I'm finding that I cannot get rid of its payload.
I did find several copies/versions of the email and then move them into a
holding folder, but even though they seem to be isolated there, every time I
do move anything else within the email filesystem, a new copy of that nasty
little email finds its way into the target folder.
I have all the sourcecode of the original phishing email in four of versions
or copies of the offending email, and I can quickly locate all the new copies
of the nasty email by searching on its 12/31/1969 date and then deleting the
ones that consist of just a date with no headers and no text body, but the
propagation still persists as long as the offending emails remain "isolated"
in their quarantine folder.
I installed ClamAV and ClamTK, but neither the console-based or the GUI
version detects anything.
Here's the console output:
>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls
--move=/home/amenex/.icedove/
/home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 3945913
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 8.300 sec (0 m 8 s)
The GUI version counts the number of files that it scans, but the console
version does not.
If I expand the scope of the scan to "everything" I get the same output:
>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/
/home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 4548014
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 9.991 sec (0 m 9 s)
If I point the scan right into the directory containing the known
malware-bearing emails, I still get no "hits":
>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls
--move=/home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/
/home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/
>> ----------- SCAN SUMMARY -----------
>> Known viruses: 4679254
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 10.000 sec (0 m 10 s)
If I do a Google search on a portion of the subject line, I get a large
number of hits identifying the emails as phishes.
The ClamAVMalware folder above remains empty after all my attempts.
While I was sorting files into my main mail filesystem, I noticed that
Icedove could not accurately count the number of emails in the source folder,
whose count fluctuated up and down. I had combined emails from several other
disparate email profiles into that one folder, however. Other source folders
were better behaved.
In the test profile used above, I deleted the folder and contents of the
offending emails and also deleted the one blank email with its 12/31/1969
date from the target folder after moving files into it, and when I tried that
again after no known instances of the offending email could be found with the
search function, the insinuations stopped. However, when I repeated this
exercise with the much bigger main profile, I could not get rid of the
insinuations. However, I did find that they were not propagated by selecting
& moving the emails from within the source folder into a target folder; only
search & move performed the propagation.
My questions are:
1. Is ClamAV skipping over hidden files (like ".icedove") ?
2. The offending emails came to me in 2005; has their payload been forgotten
?
3. What in my syntax is causing ClamAV to skip all but one directory and even
to skip all files within that directory ?
4. Where else should I look in order to find and clean out the present
location of the offending payload ?
5. Where are the payloads likely to be located in my Trisquel 7 file system ?