Delete An Email From All Mailboxes - Exchange 2007

Ex-Mgmt-Shell

Another day, another user who decided to give away their username and password to a phishing email. Thankfully this time it happened on a Monday morning, the spammer was kind enough to send to my internal users, and even better sent a spam to our helpdesk email. In other words - they basically told me they were sending spam from one of our mailboxes.

I did the usual - disabled the account/changed the password, blocked the spam/phishing site, purged our (growing) mail queues. But this time I really wanted to get rid of the email. So... Powershell (Exchange Management Shell) to the rescue.

WARNING: Use at your own risk. I am not responsible for you nuking your exchange environment, but I ran this and can confirm it only affected the target email. This can be time consuming (about 2 hours for 1500 mailboxes). This was run from a workstation with Office 2007 (32-bit) using the EMS.

Give yourself access to the mailboxes:

[code language="powershell"]Get-Mailbox -Server "EXCHANGESERVER"| Add-MailboxPermission -User "YOURADMINCCOUNT" -AccessRights Fullaccess -InheritanceType all[/code]

Then the fun begins.

[code language="powershell"] Get-Mailbox -Server "SERVER" -resultsize unlimited | Export-Mailbox -SubjectKeywords "SUBJECTLINE" –IncludeFolders "\Inbox" -StartDate "04/14/2013 12:01:00" -DeleteContent -PSTFolderPath "c:\temp" > c:\temp\log.txt [/code]

If you want to test this against only your own mailbox first (I highly recommend it):

[code language="powershell"] Get-Mailbox -Server "SERVER" -identity "YOURMAILBOX" | Export-Mailbox -SubjectKeywords "SUBJECTLINE" –IncludeFolders "\Inbox" -StartDate "04/14/2013 12:01:00" -DeleteContent -PSTFolderPath "c:\temp" > c:\temp\log.txt [/code]

This gets all mailboxes. Then feeds that to Export-Mailbox. The inbox (-includefolders) is then searched for the subject line I was targeting. The date was so I didn't have things being wiped out before the phish started. The PSTFolderPath just copies out the PST (really small -256KB) for each user. I did this so I would have them all in a convenient place so I could then delete them all. The resulting log file was about 9MB and again wasn't necessary but I wanted to save the results for follow up later.

Hit Tip: Source

UPDATE: Here's another handy way to find emails with a specific attachment: –AttachmentFilenames "BLAH-BLAH-BLAH.pdf"

Example: [code language="powershell"]Get-Mailbox -Server "SERVER" -resultsize unlimited | Export-Mailbox –AttachmentFilenames "BLAH-BLAH-BLAH.pdf" –IncludeFolders "\Inbox" -StartDate "04/14/2013 12:01:00" -DeleteContent -PSTFolderPath "c:\temp" > c:\temp\log.txt [/code]