SIS and tracing the origin of an attachment

Tue Mar 15 13:02:03 UTC 2022

On 3/8/2022 5:51 PM, doug wrote:
> Hi All,
>
> I'm trying to trace an attachment within an SIS subdirectory to the 
> email message(s) that link to it. I say messages because I'm also 
> using dovecot dedup. My understanding is the linked file name is the 
> hash value of the attachments contents concatenated with the GUID of 
> the email message. I have had marginal success with a message I 
> created myself.
>
> Example: I generated an email with two attachments. Here are the links 
> in my attachment directory.
> ./26/c5/26c5c540d41779d83d2f5388041d05c67d720d9a-73eca8051acd276272310000f2bc99a3 
>
> ./65/cd/65cd73112a489ef07f17ed5740aa60358e2dd3fb-74eca8051acd276272310000f2bc99a3 
>
>
> In my sent folder the actual GUID of the message is 
> 75eca8051acd276272310000f2bc99a3.  So the GUID of the attachment is 
> based on the GUID of the message, but not exact. The second hex byte 
> seems to be decremented as an offset of the attachment index from the 
> GUID of the message. At least in my one example.
>
> # doveadm dump 
> /mailstore/doug/mail/mailboxes/Sent/dbox-Mails/dovecot.index | grep 
> guid | tail -1
>     - guid: 75eca8051acd276272310000f2bc99a3
>
> With that actual GUID I can find the message with a search:
> # doveadm search -u doug mailbox Sent guid 
> 75eca8051acd276272310000f2bc99a3
> doug e5711f1cf2c9294f71090000059b96e4 53526
>
> Now let's try to track down another email when only the HASH-GUID 
> value is known. Here is one randomly picked.
>
> ./00/a2/00a2d5de3e41053d59bd10084826bbe094aa1c59-57857b09d1a327627e260000f2bc99a3 
>
>
> # doveadm search -A mailbox '*' guid 57857b09d1a327627e260000f2bc99a3
> # doveadm search -A mailbox '*' guid 58857b09d1a327627e260000f2bc99a3
> # doveadm search -A mailbox '*' guid 59857b09d1a327627e260000f2bc99a3
>
> I repeated this incrementing and decrementing from 5085... through 
> 5f85... and never located the message.
>
> This seems like it should be trivial but I've been struggling with it 
> for days. The GUID isn't random, there must be a way to track the 
> attachment back. What am I missing?
>
> And for those wondering why, our virus scanner flagged a number of 
> attachments, some with several links, and I want ask the users to 
> delete the offending messages so I can purge them from the server. If 
> I can find the emails I can give them the mail folder, date/time, and 
> subject of the message.
>

I keep experimenting with this and I still haven't found a reliable way 
to track an attachment back to it's original message so I can either 
notify the user or delete the message with doveadm. Is this not 
possible? I'm using mdbox if that matters. I see a similar thread going 
right now about virus scanning and deleting messages but that is maildir 
and I suspect not using SIS for attachments.

--
Doug