...I just made the interesting and unhappymaking discovery that when you delete mail with Mozilla, Mozilla doesn't really delete it. It just marks it as deleted and doesn't show it to you any more, but it's still all right there on your disk in mbox format. Mozilla just keeps track in the Inbox.msf file for each account of which messages in Inbox are allegedly deleted. Sorta like MSDOS changing the first character of the directory entry of "deleted" files to Ctrl-E.
You can tell Mozilla to delete a message, and it says, "OK, message marked as deleted. Er, I mean, message deleted." Then you tell Mozilla to empty the trash, and it says "OK, trash marked as ... er, I mean, emptied."
Then you open up ~/$USER/.mozilla/$username/hash/Mail/$account/Inbox, and gee golly gosh, there it is, intact and untouched.
And I've spent the last 30 minutes or so discovering that if you go in and manually clean out the allegedly-deleted mail by hand, Mozilla Mail gets really unhappy. It's not even as if Mozilla offers an "Undelete" feature that would account for this.
The potential for exposure of confidential information is obvious. This is what we call Bad. Spread the word around.
Update:
Having dug deeper into this and pinged the Mozilla folks, it appears this is a known issue, with an existing solution; the solution is just ... obscure. And what's that other word? Oh yeah . . . Undocumented. That's it.
If you look in Mozilla preferences, under the Mail and Newsgroups section, you'll see "Offline & Disk Space" at the bottom. And if you select that, at the bottom you'll find a checkbox marked "Compact folders when it will save over [100] KB", with an edit field for the 100. You won't see any explanation of what this means.
"Compact folders" means "REALLY delete mail." In theory, the smallest value you can set this to is 1, and 0 is not supported. 0 does, however, work. I just enabled this setting in my preferences and set it to 0 KB, and Mozilla proceeded to purge 16MB of allegedly-deleted mail.
Sixteen. Fucking. Megabytes. Of mail it told me it had already deleted.
Go clicky that little checkbox, folks. And remember, "0" may be unsupported, but it works. I'm glad the Mozilla folks are aware there's an issue, but this should have been resolved long since.
