O-Xchange Notes from the Field!

Tuesday, April 29, 2014

Identifying Spam Emails and Mitigation

Occasionally, a customer’s mailbox may become compromised and the mailbox is used to send spam emails internally and externally from the customers email address. An email address is suspected to be sending spam when the sent message count from that email address exceeds 100 emails within a small time frame. 

The steps below will help identify if messages are spam and how to mitigate this internal spam source.  Not all mass mailings are considered to be spam; the steps below will be used to help identify a potential internal spam source of a compromised mailbox. Discretion for the suspected mass mailings is still required.

Identifying Spam Emails

•  Recipient counts over 500 are suspicious.
•  If multiple mass mailing are sent from the same sender, these messages may be considered as spam
•  If the majority of the recipients are external, these messages may be considered as spam.
•  If the message subject is blank or not relative coming from that sender, these messages may be considered as spam.

Mitigation and Resolution

•  Set a 1KB restriction for mail flow on the mailbox within Exchange.  PS Command:  set-mailbox mailbox -MaxSendSize 1KB
•  Disable any rule in the mailbox that looks suspicious. Delete any rule that can be positively identified as not being set by the customer. Use the following PS Commands:  
     Review Rules: get-inboxrule -mailbox mailbox | FL   <--Capture Identity of rule if you think is spam.
     Remove Rule: remove-inboxrule identity
•  Contact the customer to reset their password. Change it if no response.
•  Contact the customer’s LAN Administrator and advise them to run antimalware software on the affected customer’s computer.
•  Remove the MaxSendSize you set in step 1. It may take 30 minutes for this setting to go back into effect.  PS Command:  set-mailbox mailbox -maxsendsize unlimited

Monday, April 21, 2014

Exchange PowerShell script that will perform a mailbox count on each database and email the results.

Below is a Exchange PowerShell script that will perform a mailbox count on each database and email the results.  The script is performed with the get-mailboxstatistics for each mailbox on that database as the results are much faster than the get-mailbox command.

# Create an empty HashTable to store database name and count.
$MailboxCount = @{}

# Collect Databases
$databases = Get-mailboxDatabase | Where Name -like "2013DB*" | Sort name

#Loop through each
ForEach ($database in $databases){
$MBs = Get-mailboxstatistics -database $database

#Format the Results
$MailboxCountOrdered = $MailboxCount.GetEnumerator() | Sort-Object Name | Out-String
$orderedMailboxCount = $MailboxCount.GetEnumerator() | Sort-object Value | Out-String

#Send an email:
$SmtpClient = new-object system.net.mail.smtpClient 
$MailMessage = New-Object system.net.mail.mailmessage 
$SmtpClient.Host = "mail.server.com" 
$mailmessage.from = ("MailboxCount@domain.com") 
$mailmessage.Subject = "Mailbox Count"
$mailmessage.Body = "Mailbox Count

The following list shows the Mailbox Count for the Databases in Ex2013. The 2 lists below are the same; one is in order of database name and the other is in order of mailbox count.
Database Order:
Count Order:

Wednesday, April 16, 2014

Process Meeting Requests Automatically from a Exchange user Mailbox

Scenario: If you have a normal Exchange user mailbox that is not a resource, you can configure Outlook to process the meeting request automatically.  To do so, perform the following within Outlook:

Click on File-->Options
1. Navigate to Mail-->Tracking. Make sure there is a check mark in Automatically process meeting requests and responses to meeting requests and polls.
2. Navigate to Calendar-->Automatic accept or decline. From here you can select from the menu how you wish to automatically process meeting requests:

  • Automatically accept meeting requests and remove canceled meetings
  • Automatically decline meeting requests that conflict with an existing appointment or meeting
  • Automatically decline recurring meeting requests
Outlook uses a sniffer that is an idle process to process meeting requests.  Only one machine can process sniffer requests. It only runs when Outlook is idle -- if its never idle it will never run.


1.  Disable Outlook Addin's and try again.
2.  Use the /sniff or the /cleansniff when opening outlook.
3.  Check the property PR_Processed with MFCMAPI on the mail message.

Tuesday, April 8, 2014

Error: You need more memory or system resources. Please close some Windows and try again.

Problem when trying to open the mail app in the control panel or if opening outlook with many profiles.

To resolved rename the following key to something else.

Outlook 2010 and older:
HKEY_CURRENT_USER\Software\Microsoft\Windows NT\CurrentVersion\Windows Messaging Subsystem
 Outlook 2013:

Friday, April 4, 2014

Exchange Search and Remove Mail that was delivered as spam

Scenario:  Multiple users have received a email message and this message needs to be removed. For example, a spammer has sent multiple users a malicious email and we want to remove the mail message out of the mailbox for anyone that has it currently in their mailbox.

Script:  The following script-let collects the senders and recipients from the message trackinglogs and performs a Search-Mailbox with the -deletecontent switch. You may have to add additional parameters if you need to filter it down even more.

#The script below is to be used when we have a subject line we are trying to find and remove.

$subject = "test222"
$start = "4/11/2014"

#Determine the mailboxes that the message went to:
$Recipients = (Get-TransportServer | Get-MessageTrackingLog -MessageSubject $subject -Start $start).recipients
$Senders = (Get-TransportServer | Get-MessageTrackingLog -MessageSubject $subject -Start $start).sender
$All = $Recipients + $Senders
$all = $all | Select -uniq
#Search and DESTROY!!!!!
$all | Foreach {
write-host $_
search-mailbox $_ -searchquery "Subject:'*$subject*' Sent:$start" -deletecontent -force

#The script below is to be used when the subject is blank but we have a valid from address.

$sender = "user@domain.com"
$start = "4/11/2014"

#Determine the mailboxes that the message went to:
$Recipients = (Get-TransportServer | Get-MessageTrackingLog -Sender $sender -Start $start).recipients
$all = $recipients | Select -uniq
#Search and DESTROY!!!!!
$all | Foreach {
write-host $_
search-mailbox $_ -searchquery "From:$sender Sent:$start" -deletecontent -force


Wednesday, April 2, 2014

New-MailboxExportRequest with exporting a single folder to a PST

Export a single folder to a PST

New-MailboxExportRequest mailbox -BadItemLimit 999 -AcceptLargeDataLoss -IncludeFolders "#Calendar#" -filepath \\server\share\mailbox_calendar.pst