Delete An Email From All Mailboxes – Exchange 2007


Ex-Mgmt-Shell

Another day, another user who decided to give away their username and password to a phishing email. Thankfully this time it happened on a Monday morning, the spammer was kind enough to send to my internal users, and even better sent a spam to our helpdesk email. In other words – they basically told me they were sending spam from one of our mailboxes.

I did the usual – disabled the account/changed the password, blocked the spam/phishing site, purged our (growing) mail queues. But this time I really wanted to get rid of the email. So…
Powershell (Exchange Management Shell) to the rescue.

WARNING: Use at your own risk. I am not responsible for you nuking your exchange environment, but I ran this and can confirm it only affected the target email. This can be time consuming (about 2 hours for 1500 mailboxes). This was run from a workstation with Office 2007 (32-bit) using the EMS.

Give yourself access to the mailboxes:

Get-Mailbox -Server "EXCHANGESERVER"| Add-MailboxPermission -User "YOURADMINCCOUNT" -AccessRights Fullaccess -InheritanceType all

Then the fun begins.

Get-Mailbox -Server "SERVER" -resultsize unlimited | Export-Mailbox -SubjectKeywords "SUBJECTLINE" –IncludeFolders "\Inbox" -StartDate "04/14/2013 12:01:00" -DeleteContent -PSTFolderPath "c:\temp" > c:\temp\log.txt

If you want to test this against only your own mailbox first (I highly recommend it):

Get-Mailbox -Server "SERVER" -identity "YOURMAILBOX" | Export-Mailbox -SubjectKeywords "SUBJECTLINE" –IncludeFolders "\Inbox" -StartDate "04/14/2013 12:01:00" -DeleteContent -PSTFolderPath "c:\temp" > c:\temp\log.txt

This gets all mailboxes. Then feeds that to Export-Mailbox. The inbox (-includefolders) is then searched for the subject line I was targeting. The date was so I didn’t have things being wiped out before the phish started. The PSTFolderPath just copies out the PST (really small -256KB) for each user. I did this so I would have them all in a convenient place so I could then delete them all. The resulting log file was about 9MB and again wasn’t necessary but I wanted to save the results for follow up later.

Hit Tip: Source

UPDATE: Here’s another handy way to find emails with a specific attachment:
–AttachmentFilenames “BLAH-BLAH-BLAH.pdf”

Example:
Get-Mailbox -Server "SERVER" -resultsize unlimited | Export-Mailbox –AttachmentFilenames "BLAH-BLAH-BLAH.pdf" –IncludeFolders "\Inbox" -StartDate "04/14/2013 12:01:00" -DeleteContent -PSTFolderPath "c:\temp" > c:\temp\log.txt

Advertisements

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s