# Searching and filtering in Mbox Viewer

## What is searching and filtering in Mbox Viewer?

Mbox Viewer by Cloud Captains is a Chrome extension for opening and searching email archives. Whether you have an old Thunderbird archive, a Google Takeout export or a handful of loose .eml files, you drag them into the window and browse them as if it were Gmail: the message list on the left, the open message on the right.

As soon as an archive grows large, scrolling no longer gets you to one specific message. That is what the search bar is for. You do not just type loose words, you use search operators: short commands that tell the app exactly where to look. Think of `from:` to filter by sender or `has:attachment` to show only messages that carry a file. On top of that you organise your archive with labels, stars and notes, so you can find important messages again later.

:::info title="Everything stays on your own device"
Mbox Viewer runs 100% locally and offline. Your emails are never uploaded, there is no server and no telemetry. All data lives in your browser's local database (IndexedDB). Searching and filtering therefore happen entirely on your computer, and nobody else sees your queries or your messages. Want to know more? Visit https://mbox-viewer.online.
:::

## Why search operators are useful

An ordinary search looks everywhere at once: in the sender, the subject and the body. That usually returns far too many results. Operators let you sharpen your query. Instead of hundreds of messages that happen to contain the word invoice, you ask for, say, only messages from a particular sender, with an attachment, from a specific period. That takes you from thousands of messages down to the few you actually want.

You combine operators simply by typing them one after another with a space in between. Everything you type then has to match (a logical AND). So `from:jane has:attachment` shows only messages from Jane that also include an attachment.

## All the search operators at a glance

Below are all the operators with an example. You type them straight into the search bar.

| Operator | What it does | Example |
| --- | --- | --- |
| `from:` | Filters by sender | `from:jane@company.com` |
| `to:` | Filters by recipient | `to:info@client.com` |
| `cc:` | Filters by cc recipient | `cc:board@company.com` |
| `bcc:` | Filters by bcc recipient | `bcc:archive@company.com` |
| `subject:` | Searches the subject line | `subject:invoice` |
| `has:attachment` | Only messages with an attachment | `has:attachment` |
| `has:link` | Only messages with a hyperlink | `has:link` |
| `has:image` | Only messages with an image | `has:image` |
| `before:` | Before a date (YYYY-MM-DD) | `before:2025-01-01` |
| `after:` | After a date (YYYY-MM-DD) | `after:2024-06-01` |
| `older_than:` | Older than a time span | `older_than:30d` |
| `newer_than:` | Newer than a time span | `newer_than:7d` |
| `larger:` | Larger than a file size | `larger:5M` |
| `smaller:` | Smaller than a file size | `smaller:1M` |
| `is:starred` | Only starred messages | `is:starred` |
| `is:suspicious` | Only messages flagged as suspicious | `is:suspicious` |
| `filename:` | Searches attachment names (wildcard *) | `filename:quote*` |
| `tag:` | Filters by a label | `tag:legal` |
| `header:` | Searches a specific header | `header:X-Mailer:Outlook` |
| `NOT` | Excludes a term | `invoice NOT reminder` |
| `"..."` | Searches for an exact phrase | `"payment received"` |

:::tip title="Combine for sharp results"
The real power is in combining. Want every invoice from a supplier in 2024 that has an attachment? Type: `from:supplier subject:invoice has:attachment after:2024-01-01 before:2025-01-01`. Each condition trims the results until only what you are looking for remains.
:::

## Using dates and time spans well

There are two ways to filter by time. `before:` and `after:` work with a fixed date in year-month-day format, so `after:2024-03-15`. Handy when you have a concrete period in mind.

`older_than:` and `newer_than:` work with a span counted from today. You give a number and a letter: `d` for days, and likewise for weeks, months and years. `newer_than:7d` shows everything from the past seven days. `older_than:30d` shows everything older than thirty days. This is ideal when you do not know the exact date but you do know roughly how long ago something happened.

## Filtering by size

With `larger:` and `smaller:` you filter by the size of a message. Use `M` for megabytes and `K` for kilobytes. `larger:5M` surfaces the heaviest messages, often those with big attachments. `smaller:1M` shows the lighter ones instead. Combine this with `has:attachment` to quickly track down the largest attachments in your archive.

## Finding suspicious messages

`is:suspicious` shows every message that Mbox Viewer has flagged as potentially dangerous. On the Forensic tab the extension assigns each message a suspicion score based on signals such as failed authentication, a mismatched Reply-To address, punycode domains or a display name that does not match the real email address. This operator brings all the questionable cases to the surface at once, for example when you are investigating a phishing campaign inside an archive.

:::warn title="Suspicious is a signal, not a verdict"
A message flagged as suspicious is not necessarily malicious. The score is an aid. Open the Forensic tab to see which signals the message triggered before you draw any conclusions.
:::

## Regex mode

Alongside the regular operators, Mbox Viewer has a regex mode. Regex (regular expressions) is a way to describe patterns rather than fixed words. With it you can search for, say, every message with an order number that starts with INV followed by digits, or several spellings of a name at once.

You switch regex mode on in the search bar. From then on you no longer type plain text but a pattern. This is an advanced feature: if you have never worked with regex, the ordinary operators will usually get you a long way already.

:::tip title="Start small with regex"
Want to learn regex in Mbox Viewer? Begin with a simple pattern like `invoice|bill|statement` to search three words at once (the vertical bar means or). Build it out from there as you grow more comfortable.
:::

## Saved searches

Do you run the same query over and over? Save it. A saved search remembers your complete string of operators so you can run it again with a single click. Handy for recurring tasks, such as reviewing all suspicious messages every week or jumping straight to a particular supplier's invoices.

:::howto title="Save and reuse a search"
1. Type your full query into the search bar, for example `from:supplier has:attachment subject:invoice`.
2. Check that the results list shows what you expect.
3. Save the query using the option to keep it next to the search bar.
4. Give it a recognisable name, for example Supplier invoices.
5. Later, open the list of saved searches and pick it to run the query again instantly.
:::

## Organising with labels, stars and notes

Search finds messages again, organising keeps them tidy. Mbox Viewer gives you three ways to mark messages, and they all work together with the search operators.

Labels (tags) are free-form labels you attach to a message, for example legal, tax-office or project-x. A message can carry several labels. Later you filter on them with `tag:legal`.

Stars (favourites) mark a message as important. It is a simple on-off marker. You bring back all your starred messages with `is:starred`.

Notes (Captain notes) are free text you leave on a single message, for instance a reminder of why this message matters to a case. The note belongs to that one message.

:::howto title="Label, star and annotate a message"
1. Open the message in the list so it appears on the right.
2. Add one or more labels through the label option on the message and type a name, for example legal.
3. Click the star to mark the message as a favourite.
4. In the note field, write a short Captain note about why this message is important.
5. Find it all again later with `tag:legal` or `is:starred`.
:::

:::info title="Your labels and notes stay local too"
Labels, stars and notes are stored, just like your emails, in the local database on your device. They never leave your computer. If you want to move your work to another computer, export your entire workspace from the settings and import it again there.
:::

## Filtering by attachment, source file and date range

Next to the search bar, Mbox Viewer has standalone filters that trim the list quickly without typing operators. You can filter by the presence of an attachment, by the source file (handy when you have several archives open at once and only want messages from one particular .mbox file) and by a date range. These filters work alongside your query: you can type an operator first and then narrow further with a filter.

:::tip title="Filter by source file with multiple archives"
Have a Takeout export and a separate Thunderbird archive open together? The source-file filter lets you search within just one archive, without results from the other slipping in.
:::

## Practical examples

A few common combinations to get you going:

- Every email with an attachment from a specific sender: `from:accountant has:attachment`
- Large messages from the past year: `larger:5M newer_than:365d`
- Invoices, but no reminders: `subject:invoice NOT reminder`
- An exact phrase in a subject: `subject:"annual statement 2024"`
- An attachment with a particular name: `filename:contract*`
- All suspicious messages from a certain domain: `is:suspicious from:unknown.tk`

:::faq
### How do I combine several search operators?
You type the operators one after another in the search bar with a space between them. All conditions then have to match. So from:jane has:attachment shows only messages from Jane that also include an attachment. Add more conditions whenever you want to filter more sharply.

### Are my searches stored or sent anywhere?
No. Mbox Viewer runs entirely locally and offline. Your searches, emails, labels and notes stay in the database on your own device. There is no server, no cloud and no telemetry.

### What is the difference between before:after: and older_than:newer_than:?
With before: and after: you give a fixed date in year-month-day format, for example after:2024-06-01. With older_than: and newer_than: you count back from today using a time span, for example newer_than:7d for the past seven days. Use the first when you know the exact date, the second when you only know roughly how long ago something was.

### When should I use regex mode instead of the regular operators?
Use regex when you are looking for a pattern rather than fixed words, for example several spellings of a name or an order number with a set format. For most everyday searches the regular operators are quicker and simpler.

### How do I find my labelled or starred messages again?
Use the tag: operator followed by the label name to filter by a label, for example tag:legal. Use is:starred to show every message you have starred. That way organising and searching work together seamlessly.

### Can I keep a search for repeated use?
Yes. Type your full string of operators into the search bar and save the query under a recognisable name. After that you run it again with a single click, which is ideal for tasks you do regularly.
:::