Exchange Search and Remove Mail that was delivered as spam
Scenario: Multiple users have received a email message and this message needs to be removed. For example, a spammer has sent multiple users a malicious email and we want to remove the mail message out of the mailbox for anyone that has it currently in their mailbox.
Script: The following script-let collects the senders and recipients from the message trackinglogs and performs a Search-Mailbox with the -deletecontent switch. You may have to add additional parameters if you need to filter it down even more.
Script: The following script-let collects the senders and recipients from the message trackinglogs and performs a Search-Mailbox with the -deletecontent switch. You may have to add additional parameters if you need to filter it down even more.
#The script below is to be used when we have a subject line
we are trying to find and remove.
$subject = "test222"
$start = "4/11/2014"
#Determine the mailboxes that the message went to:
$Recipients = (Get-TransportServer | Get-MessageTrackingLog
-MessageSubject $subject -Start $start).recipients
$Senders = (Get-TransportServer | Get-MessageTrackingLog
-MessageSubject $subject -Start $start).sender
$All = $Recipients + $Senders
$all = $all | Select -uniq
#Search and DESTROY!!!!!
$all | Foreach {
write-host $_
search-mailbox $_ -searchquery "Subject:'*$subject*'
Sent:$start" -deletecontent -force
}
#The script below is to be used when the subject is blank
but we have a valid from address.
$sender = "user@domain.com"
$start = "4/11/2014"
#Determine the mailboxes that the message went to:
$Recipients = (Get-TransportServer | Get-MessageTrackingLog
-Sender $sender -Start $start).recipients
$all = $recipients | Select -uniq
#Search and DESTROY!!!!!
$all | Foreach {
write-host $_
search-mailbox $_ -searchquery "From:$sender
Sent:$start" -deletecontent -force
}