• Skip to primary navigation
  • Skip to main content
  • Skip to primary sidebar
  • Skip to secondary sidebar
OpenTechTips

OpenTechTips

Comprehensive IT Guides for Pros and Enthusiasts

MENUMENU
  • HOME
  • ALL TOPICS
    • Exchange
    • InfoSec
    • Linux
    • Networking
    • Scripting
      • PowerShell
    • SSL
    • Tools
    • Virtualization
    • Web
    • Windows
  • ABOUT
  • SUBSCRIBE
Home » Best Way to Mass Delete Spam Messages with Exchange PowerShell

Best Way to Mass Delete Spam Messages with Exchange PowerShell

October 5, 2020 - by Zsolt Agoston - last edited on October 6, 2020

What if spam messages slip through the cracks?

Despite spam filters are set up for your email service, spam messages might slip through the cracks and land in your users' inboxes. These messages can cause real pain.

In such cases we - as the administrators - have two options. One is that we send out a notification message, informing the users of the situation and asking them to delete the message when received. The problem with this method is that many of them might have already opened the spam message by the time they get to your notification.

The other option is removing the spam messages from the mailboxes through the Exchange shell. Let's see how!

Remove Spam from Mailboxes

To remove spam messages globally from user mailboxes we have two options:

  • Using the Search-Mailbox command on older Exchange servers
  • Running the New-ComplianceSearch command, which will soon supersede the former in later versions of Exchange

Remove Spam Messages from All Mailboxes

In our example a spammer called Tony sent out a spam message to 200 of our users. Our goal is to remove those messages before the users open their mailboxes in the morning.

We know that the spam message arrived today which is 01/10/2020, the sender was Tony@spammer.com and the subject in all cases reads as: "Redeem your $100 Amazon voucher!"

1. Search-Mailbox method

With the Search-Mailbox command we can run through all mailboxes in our organization, searching for emails that match our criteria. The process will copy the resulting emails in a central mailbox in case legit emails are removed, so in that case they can be reinstated easily. Then the command deletes the matching emails from the user mailboxes.

Get-Mailbox -Filter * -ResultSize unlimited | Search-Mailbox -SearchQuery {From:"Tony@spammer.com" AND Subject:"Redeem your $100 Amazon voucher!" AND Sent:"01/10/2020"} -TargetMailbox admin -TargetFolder "Spam: Nov/01" -DeleteContent -Force -Confirm:$false

This method is simple as it comprises one line of command only. However, it has limitations as only 10,000 messages can be processed at a time per mailbox this way. Also, this command is going to be deprecated in later versions of Exchange.

Here are the results saved in the admin mailbox. They are also deleted from the source mailboxes.

Best Way to Mass Delete Spam Messages with Exchange PowerShell

Remove Spam using a List

We use the message tracking log extract as the input to remove specifically those messages that we want. While there is a very slim chance using the first method to remove unwanted emails from mailboxes, there is still a chance so in larger organizations or where precision is very important. Browsing through the log we scan for items we potentially want to keep, and by removing those from the csv file we will preserve them.

MessageTracingLog:

Get-MessageTrackingLog -Sender "Tony@spammer.com" -Start (Get-Date).AddDays(-1) -End (Get-Date) -ResultSize unlimited| ? EventId -like "RECEIVE" | select Timestamp, Sender, Recipients, MessageSubject | Export-Csv SpamRecipients.csv

Example output:

Timestamp     Sender Recipients       MessageSubject
01/10/2020 15:05       Tony@spammer.com John.Doe@alwayshotcafe.com          Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com Jane.Doe@alwayshotcafe.com          Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com John.Cash@alwayshotcafe.com         Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com KevinSmith@alwayshotcafe.com        Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com Kim.Taylor@alwayshotcafe.com        Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com Liz.Harrison@alwayshotcafe.com      Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com Peter.Carrey@alwayshotcafe.com      Redeem your  Amazon voucher!
01/10/2020 15:05       Tony@spammer.com Yesenia.Burch@alwayshotcafe.com     Redeem your  Amazon voucher!
…

Script:

Import-Csv SpamRecipients.csv | %{
	$filter = "From:$($_.Sender) AND Subject:$($_.MessageSubject) AND Sent:$($_.Timestamp.Split(" ")[0])"
	
	Search-Mailbox -Identity $_.Recipients -SearchQuery $filter -TargetMailbox admin -TargetFolder "Spam: Nov/01" -Confirm:$false
}

2. New Methods

With content search we accomplish roughly the same, removing the results from user mailboxes. However this command doesn't copy the results before deletion. For that we can utilize e-Discovery, which is a topic of an upcoming article.

  • ContentSearch: date format is YYYY-MM-DD!
  • HardDelete only available in the cloud!
$Search=New-ComplianceSearch -Name "Spam from Tony" -ExchangeLocation All -ContentMatchQuery 'From:"Tony@spammer.com" AND Subject:"Redeem your $100 Amazon voucher!" AND Sent:"2020-10-01"'
Start-ComplianceSearch $Search.Identity
(Get-ComplianceSearch "Spam from Tony").SuccessResults

New-ComplianceSearchAction -SearchName "Spam from Tony" -Purge -PurgeType SoftDelete

Reader Interactions

Comments Cancel reply

Your email address will not be published. Required fields are marked *

Primary Sidebar

Tools

Secondary Sidebar

CONTENTS

  • What if spam messages slip through the cracks?
  • Remove Spam from Mailboxes
  • Remove Spam Messages from All Mailboxes
  • 1. Search-Mailbox method
  • Remove Spam using a List
  • 2. New Methods

  • Terms of Use
  • Disclaimer
  • Privacy Policy
Manage your privacy

To provide the best experiences, we and our partners use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us and our partners to process personal data such as browsing behavior or unique IDs on this site and show (non-) personalized ads. Not consenting or withdrawing consent, may adversely affect certain features and functions.

Click below to consent to the above or make granular choices. Your choices will be applied to this site only. You can change your settings at any time, including withdrawing your consent, by using the toggles on the Cookie Policy, or by clicking on the manage consent button at the bottom of the screen.

Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}
Manage your privacy
To provide the best experiences, we use technologies like cookies to store and/or access device information. Consenting to these technologies will allow us to process data such as browsing behavior or unique IDs on this site. Not consenting or withdrawing consent, may adversely affect certain features and functions.
Functional Always active
The technical storage or access is strictly necessary for the legitimate purpose of enabling the use of a specific service explicitly requested by the subscriber or user, or for the sole purpose of carrying out the transmission of a communication over an electronic communications network.
Preferences
The technical storage or access is necessary for the legitimate purpose of storing preferences that are not requested by the subscriber or user.
Statistics
The technical storage or access that is used exclusively for statistical purposes. The technical storage or access that is used exclusively for anonymous statistical purposes. Without a subpoena, voluntary compliance on the part of your Internet Service Provider, or additional records from a third party, information stored or retrieved for this purpose alone cannot usually be used to identify you.
Marketing
The technical storage or access is required to create user profiles to send advertising, or to track the user on a website or across several websites for similar marketing purposes.
Statistics

Marketing

Features
Always active

Always active
Manage options Manage services Manage {vendor_count} vendors Read more about these purposes
Manage options
{title} {title} {title}