What if spam messages slip through the cracks?
Despite spam filters are set up for your email service, spam messages might slip through the cracks and land in your users' inboxes. These messages can cause real pain.
In such cases we - as the administrators - have two options. One is that we send out a notification message, informing the users of the situation and asking them to delete the message when received. The problem with this method is that many of them might have already opened the spam message by the time they get to your notification.
The other option is removing the spam messages from the mailboxes through the Exchange shell. Let's see how!
Remove Spam from Mailboxes
To remove spam messages globally from user mailboxes we have two options:
- Using the Search-Mailbox command on older Exchange servers
- Running the New-ComplianceSearch command, which will soon supersede the former in later versions of Exchange
Remove Spam Messages from All Mailboxes
In our example a spammer called Tony sent out a spam message to 200 of our users. Our goal is to remove those messages before the users open their mailboxes in the morning.
We know that the spam message arrived today which is 01/10/2020, the sender was Tony@spammer.com and the subject in all cases reads as: "Redeem your $100 Amazon voucher!"
1. Search-Mailbox method
With the Search-Mailbox command we can run through all mailboxes in our organization, searching for emails that match our criteria. The process will copy the resulting emails in a central mailbox in case legit emails are removed, so in that case they can be reinstated easily. Then the command deletes the matching emails from the user mailboxes.
Get-Mailbox -Filter * -ResultSize unlimited | Search-Mailbox -SearchQuery {From:"Tony@spammer.com" AND Subject:"Redeem your $100 Amazon voucher!" AND Sent:"01/10/2020"} -TargetMailbox admin -TargetFolder "Spam: Nov/01" -DeleteContent -Force -Confirm:$false
This method is simple as it comprises one line of command only. However, it has limitations as only 10,000 messages can be processed at a time per mailbox this way. Also, this command is going to be deprecated in later versions of Exchange.
Here are the results saved in the admin mailbox. They are also deleted from the source mailboxes.
Remove Spam using a List
We use the message tracking log extract as the input to remove specifically those messages that we want. While there is a very slim chance using the first method to remove unwanted emails from mailboxes, there is still a chance so in larger organizations or where precision is very important. Browsing through the log we scan for items we potentially want to keep, and by removing those from the csv file we will preserve them.
MessageTracingLog:
Get-MessageTrackingLog -Sender "Tony@spammer.com" -Start (Get-Date).AddDays(-1) -End (Get-Date) -ResultSize unlimited| ? EventId -like "RECEIVE" | select Timestamp, Sender, Recipients, MessageSubject | Export-Csv SpamRecipients.csv
Example output:
Script:
Import-Csv SpamRecipients.csv | %{
$filter = "From:$($_.Sender) AND Subject:$($_.MessageSubject) AND Sent:$($_.Timestamp.Split(" ")[0])"
Search-Mailbox -Identity $_.Recipients -SearchQuery $filter -TargetMailbox admin -TargetFolder "Spam: Nov/01" -Confirm:$false
}
2. New Methods
With content search we accomplish roughly the same, removing the results from user mailboxes. However this command doesn't copy the results before deletion. For that we can utilize e-Discovery, which is a topic of an upcoming article.
- ContentSearch: date format is YYYY-MM-DD!
- HardDelete only available in the cloud!
$Search=New-ComplianceSearch -Name "Spam from Tony" -ExchangeLocation All -ContentMatchQuery 'From:"Tony@spammer.com" AND Subject:"Redeem your $100 Amazon voucher!" AND Sent:"2020-10-01"' Start-ComplianceSearch $Search.Identity (Get-ComplianceSearch "Spam from Tony").SuccessResults New-ComplianceSearchAction -SearchName "Spam from Tony" -Purge -PurgeType SoftDelete
Comments