Delete from spam quarantine based on content

MiamiJack

MiamiJack

Member
Proxmox Subscriber
Sep 17, 2020
310
18
23
Hello All,

I have at times seen several quarantined messages which have specific words within the body which I know are phishing and while the message is quarantined I want to remove them from the quarantine. Going through the interface would just not work in this case because of all the users and messages.

As an example there may be a bunch of google forms phishing and I'm just going to remove them from the queue and not give the user the opportunity to make a mistake.

What I can do is find messages with the content based on the criteria and return the QUEUE ID, so as an example:

grep -Ril "The Easy Furniture Mover Set "
FA/A1CA960009EFE224FA
3B/A0AEC6001AC924ED3B
0B/A19616001CBBEF200B
1D/A195B6001C2840451D

Now what I would like to be able to do is delete the quarantine/queue ID, but haven't found a command to do so.
I know if I simply delete the queue file, that breaks it from within PMG.

Thank you!
 
Thank you, but I'm not sure I get it.
Here I did a grep to simply see how many of the same message I have, and to get the queue ID (see grep below)

From there I tried to both of the above commands on the first item in the queue:
pmgsh get /quarantine/content -id A18BF600E4A50EB660
400 Parameter verification failed.
id: value does not match the regex pattern
get quarantine/content --id <string> [OPTIONS]

I got the same when trying to delete:
pmgsh create /quarantine/content -id "A18BF600E4A50EB660" -action delete
400 Parameter verification failed.
id: value does not match the regex pattern
create quarantine/content --action <string> --id <string> [OPTIONS]

I am totally missing something...




Code: 
/var/spool/pmg/spam/ grep -Ri "Perfect for a birthday, anniversary, holiday or graduation"
60/A18BF600E4A50EB660:   -   Perfect for a birthday, anniversary, holiday or graduation
C5/A0B3F60116716177C5:   -   Perfect for a birthday, anniversary, holiday or graduation
B7/A0A6A600EB162325B7:   -   Perfect for a birthday, anniversary, holiday or graduation
73/A1C97601218EE60073:   -   Perfect for a birthday, anniversary, holiday or graduation
0C/A0A67600EA9AADD20C:   -   Perfect for a birthday, anniversary, holiday or graduation
05/A0A79600ECD47F0D05:   -   Perfect for a birthday, anniversary, holiday or graduation
8B/A0B4060116C763DF8B:   -   Perfect for a birthday, anniversary, holiday or graduation
61/A0A6E600EBED153B61:   -   Perfect for a birthday, anniversary, holiday or graduation
79/A0A85600ED26184979:   -   Perfect for a birthday, anniversary, holiday or graduation
79/A1A036011A663F4179:   -   Perfect for a birthday, anniversary, holiday or graduation
92/A1C9C60122835D8592:   -   Perfect for a birthday, anniversary, holiday or graduation
38/A0B17601035FBE5138:   -   Perfect for a birthday, anniversary, holiday or graduation
3D/A0A20600FC5D9CAC3D:   -   Perfect for a birthday, anniversary, holiday or graduation
76/A1C9060120D73A5776:   -   Perfect for a birthday, anniversary, holiday or graduation
D9/A1CA2601239F24CED9:   -   Perfect for a birthday, anniversary, holiday or graduation
58/A1790600C543EC3C58:   -   Perfect for a birthday, anniversary, holiday or graduation
58/A1C9A60122315E6C58:   -   Perfect for a birthday, anniversary, holiday or graduation
BD/A0AF260101E492BCBD:   -   Perfect for a birthday, anniversary, holiday or graduation
C1/A19A16010883DC99C1:   -   Perfect for a birthday, anniversary, holiday or graduation
DE/A1782600DDE81A1CDE:   -   Perfect for a birthday, anniversary, holiday or graduation
37/A18BB600E4540F0837:   -   Perfect for a birthday, anniversary, holiday or graduation
B8/A19BA6010A84C5C7B8:   -   Perfect for a birthday, anniversary, holiday or graduation
BE/A01FE600E5579BE2BE:   -   Perfect for a birthday, anniversary, holiday or graduation
88/A1897600CBB8608088:   -   Perfect for a birthday, anniversary, holiday or graduation
84/A0AD4600FF26FDE084:   -   Perfect for a birthday, anniversary, holiday or graduation
 
Sorry my mistake!

The id you have in the API does not relate to the filename on disk (which get's created based on the time when the mail is put in quarantine)

AFAICT there is no way to link the queue files to the IDs for 'deleting' the mail in quarantine accessible via the API ('deleting' means marking the mail as deleted for that recpipient - the file gets removed after the quarantine lifetime)

the relation is in the database (in the cmailstore table)

You do get the subject and the quarantine-ID in the return data from `pmgsh get /quarantine/spam -pmail <recipient-address>` - so maybe this could help you for getting the info in a script

additionally see https://bugzilla.proxmox.com/show_bug.cgi?id=3164 - we're trying to get that implemented so that you as admin can view all quarantined mail without needing to provide the recipient e-mail address... (no timeframe when it will be decided yet)

I hope this helps!
 
  • Like
Reactions: hata_ph
OK, that makes sense.
The needing the email address change will be good.

On the flip side, if I delete the mailq ID file, I believe the user still sees the heading within their quarantine, and then an error message because there is no message on disk where it's expecting it, is there any other work around?

As you can see in a regular spam the above 20 or so messages amongst several users could be quickly eliminated so the user doesn't ever see it.

Thank you for the explanation!
 
MiamiJack said:
Hello All,

I have at times seen several quarantined messages which have specific words within the body which I know are phishing and while the message is quarantined I want to remove them from the quarantine. Going through the interface would just not work in this case because of all the users and messages.

As an example there may be a bunch of google forms phishing and I'm just going to remove them from the queue and not give the user the opportunity to make a mistake.

What I can do is find messages with the content based on the criteria and return the QUEUE ID, so as an example:

grep -Ril "The Easy Furniture Mover Set "
FA/A1CA960009EFE224FA
3B/A0AEC6001AC924ED3B
0B/A19616001CBBEF200B
1D/A195B6001C2840451D

Now what I would like to be able to do is delete the quarantine/queue ID, but haven't found a command to do so.
I know if I simply delete the queue file, that breaks it from within PMG.
Click to expand...
You can delete quarantined messages by directly removing the corresponding queue files. However, this approach may disrupt the functionality within your email management system.
 
You must log in or register to reply here.

About

The Proxmox community has been around for many years and offers help and support for Proxmox VE, Proxmox Backup Server, and Proxmox Mail Gateway.
We think our community is one of the best thanks to people like you!

Quick Navigation

Home Get Subscription Wiki Downloads Proxmox Customer Portal About

Get your subscription!

The Proxmox team works very hard to make sure you are running the best software and getting stable updates and security enhancements, as well as quick enterprise support. Tens of thousands of happy customers have a Proxmox subscription. Get yours easily in our online shop.

Buy now!
Community platform by XenForo® © 2010-2024 XenForo Ltd.
Top Bottom
Back