Thunderbird does not delete virus attachments when downloaded email message is deleted
I have a Thunderbird set up with two email accounts, separate IMAP connections. Messages are downloaded locally when they arrive and are deleted from the server when I delete in my inbox, the local is a mirror of the server messages. Since an update (possibly to version 30.0 ) I have noticed a curious situation:
My Anti Virus (Eset Endpoint Security, Business Edition Version 5) when scanning the computer comes up with numerous viruses, located in my local thunderbird profile, these are then cleaned and removed by the antivirus, but future scans there are more, the virus types and number change.
What I am fairly sure is happening is this: I get a small amount of spam - 20 emails a day for each mailbox, these are easy to recognise and delete, which I do, however some of them have fake / virus attachments which Thunderbird (I presume) downloads, but when I delete the message, the attachment is not also deleted and is instead left dormant and unattached but is then discovered by the Antivirus scan.
This has been happening fairly constantly for the last 6 months at least, it never occurred before and my amount of spam emails has been pretty consistent - so It seems to be a issue with an upgrade (perhaps). So, how do I delete local attachments when I delete a message in Thunderbird? I also presume that perhaps the attachment has some way of sidestepping or otherwise denying deletion.
To Summarise, the viruses are NOT active, they are NOT infecting my computer, but they are sitting in my Thunderbird Profile waiting to be activated. the ONLY way these would get here is via downloads from spam , which I do get, and I do delete the email, but my evidence suggests the virus-infected attachments are NOT deleted as well. I have not checked if the attachments are also deleted from the server, that's a little beyond my abilities at the moment, but the email HAS been/appears deleted from the server.
Any help in removing these sleeping threats would be very useful, thank you.
Chosen solution
failure to understand the storage process causes much gnashing of teeth and lost hair.
Thunderbird uses a MBOX file to store mail for a folder. when mail is deleted n Thunderbird it is not removed from that mbox file it is marked as deleted.
For those old enough flat file databases have used this to improve performance since the days of dbase. Anti virus programs come along and start fiddling with the contents of the mbox file with very variable results. Nortons will delete the entire MBOX file and all content is gone. Others attempt to edit the file and remove the bit they do not like, most often the result is corruption.
Given that this is inactive data that is not being accessed personally I just exclude the folders from the scanner. Security that locates ostensibly deleted data and flaps it's arms and cries wolf is not security, but a nuance, and I use ESET.
Basically re-writing MBOX files to exclude removed mails in what the compaction process is all about, it is time expensive and moved off into it's own little task. In the case of IMAP account setting the expunge on exit will usually see a compaction occur when the program is closed each day. Right click the account select settings and under server settings set expunge on exit. Otherwise daily compacting is required to keep the files empty of deleted material.
When the single file per mail comes in (hopefully in TB38). Most of this will be moot as deleting the mail "can" delete the file
Read this answer in context 👍 1All Replies (5)
an attachment is part of the email included in its body, made text-like so it can be sent. If you don't save it to disk then it's still part of the email you delete.
But if you don't compact your inbox, trash and spam they are still in your folders only marked "deleted" and doesn't show.
Then they can be found in a virus check
Modified
To get rid of those sleeping viruses, compact your folders regularly. Run another check. If it still in there move all your good mail to a local folder and save attachment to disk. (puts a link in your email instead) then compact again. run a virus check on your attachment directory
Here is a link thats useful http://kb.mozillazine.org/Keep_it_working_-_Thunderbird
Hi thanks for your replies, I have Thunderbird set up to directly delete when I delete messages, I never use the "deleted" folder. I will compact my folders.
I will compact now and rescan. Thanks for your help...
Chosen Solution
failure to understand the storage process causes much gnashing of teeth and lost hair.
Thunderbird uses a MBOX file to store mail for a folder. when mail is deleted n Thunderbird it is not removed from that mbox file it is marked as deleted.
For those old enough flat file databases have used this to improve performance since the days of dbase. Anti virus programs come along and start fiddling with the contents of the mbox file with very variable results. Nortons will delete the entire MBOX file and all content is gone. Others attempt to edit the file and remove the bit they do not like, most often the result is corruption.
Given that this is inactive data that is not being accessed personally I just exclude the folders from the scanner. Security that locates ostensibly deleted data and flaps it's arms and cries wolf is not security, but a nuance, and I use ESET.
Basically re-writing MBOX files to exclude removed mails in what the compaction process is all about, it is time expensive and moved off into it's own little task. In the case of IMAP account setting the expunge on exit will usually see a compaction occur when the program is closed each day. Right click the account select settings and under server settings set expunge on exit. Otherwise daily compacting is required to keep the files empty of deleted material.
When the single file per mail comes in (hopefully in TB38). Most of this will be moot as deleting the mail "can" delete the file
Thank you for your advice, this helps clarify my knowledge of Thunderbird and how it deals with emails / spam / attachments