After working out a good method of accessing multiple Icedove profiles, combining multitudes of emails into one grand filesystem, and then finding one nasty little email that insinuates itself into any folder into which I move any emails, I'm finding that I cannot get rid of its payload.

I did find several copies/versions of the email and then move them into a holding folder, but even though they seem to be isolated there, every time I do move anything else within the email filesystem, a new copy of that nasty little email finds its way into the target folder.

I have all the sourcecode of the original phishing email in four of versions or copies of the offending email, and I can quickly locate all the new copies of the nasty email by searching on its 12/31/1969 date and then deleting the ones that consist of just a date with no headers and no text body, but the propagation still persists as long as the offending emails remain "isolated" in their quarantine folder.

I installed ClamAV and ClamTK, but neither the console-based or the GUI version detects anything.

Here's the console output:

>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/home/amenex/.icedove/ /home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/

>> ----------- SCAN SUMMARY -----------
>> Known viruses: 3945913
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 8.300 sec (0 m 8 s)

The GUI version counts the number of files that it scans, but the console version does not.

If I expand the scope of the scan to "everything" I get the same output:

>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/ /home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/

>> ----------- SCAN SUMMARY -----------
>> Known viruses: 4548014
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 9.991 sec (0 m 9 s)

If I point the scan right into the directory containing the known malware-bearing emails, I still get no "hits":

>> sudo clamscan -r -v --scan-mail=yes --phishing-scan-urls --move=/home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ /home/amenex/.icedove/c1zs68bi.08162015/Mail/"Local Folders"/ClamAVMalware/

>> ----------- SCAN SUMMARY -----------
>> Known viruses: 4679254
>> Engine version: 0.98.7
>> Scanned directories: 1
>> Scanned files: 0
>> Infected files: 0
>> Data scanned: 0.00 MB
>> Data read: 0.00 MB (ratio 0.00:1)
>> Time: 10.000 sec (0 m 10 s)

If I do a Google search on a portion of the subject line, I get a large number of hits identifying the emails as phishes.

The ClamAVMalware folder above remains empty after all my attempts.

While I was sorting files into my main mail filesystem, I noticed that Icedove could not accurately count the number of emails in the source folder, whose count fluctuated up and down. I had combined emails from several other disparate email profiles into that one folder, however. Other source folders were better behaved.

In the test profile used above, I deleted the folder and contents of the offending emails and also deleted the one blank email with its 12/31/1969 date from the target folder after moving files into it, and when I tried that again after no known instances of the offending email could be found with the search function, the insinuations stopped. However, when I repeated this exercise with the much bigger main profile, I could not get rid of the insinuations. However, I did find that they were not propagated by selecting & moving the emails from within the source folder into a target folder; only search & move performed the propagation.

My questions are:

1. Is ClamAV skipping over hidden files (like ".icedove") ?
2. The offending emails came to me in 2005; has their payload been forgotten ? 3. What in my syntax is causing ClamAV to skip all but one directory and even to skip all files within that directory ? 4. Where else should I look in order to find and clean out the present location of the offending payload ?
5. Where are the payloads likely to be located in my Trisquel 7 file system ?

Reply via email to