In this article we will have a look at steps to identify the spam emails circulated in an environment. When a user suspects any spam email and informs the IT Team first and the foremost thing that would come to an Admin is that whether the emails have been circulated to everyone or not.
There are multiple scenarios where the spam messages can be circulated in an environment.
- From single spam source email address to single recipient.
- From Single spam email address to multiple recipients.
- From multiple spam email address to multiple recipients with different subject line.
Its always better to make a search in the whole organization to make sure the emails are not circulated to all the users.
The easiest way to identify the spam emails is to run a search command with the subject line so that all the affected mailbox can be identified.
Now we will have a look at the steps to perform this action with search-mailbox command.
First we need to add the user who is going to perform this task to Discovery Management group
This should be done in order to use the search-mailbox command. If we do not add this then the user won’t be able to run search command.
Create a new role group as below. We need this in order to export/Import the contents from the source mailbox and copy it to the target mailbox.
Run the below commands to create the role group if we don’t have already . If we have the import/export rolegroup already then just add the user who is going to perform this action into that rolegroup.
To Create – New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export”
To Add user – Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator
Even if single user suspects a virus message it is better to search in the whole organization to make sure the emails are not circulated to others.Now run the below command to search the virus email throughout the organization. In our example we are going to identify an infected email with the subject “Virus Infected”
get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -LogOnly -TargetMailbox administrator -TargetFolder filter -LogLevel Full
Once we run the command we could see the searching would be started as shown in the above screenshot. The search results may take some time depending upon the environment and number of mailboxes we have.
Upon a successful completion of search we can see the logs and the emails in the zip file attached as shown in the screenshot.
Now we need to run the below command to search the infected emails and delete all of them in the whole organization
get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -TargetMailbox administrator -TargetFolder filter -deletecontent -LogLevel Full
Once it identifies the affected emails it would ask us for confirmation as shown above before deleting the suspected emails as shown in the screenshot above.
Apart from the above as an additional part of security check we can also run a message tracking with the subject in the whole organization to see to whom all the infected emails have been circulated and ensure all the emails have been deleted.
Run the below command to perform a Message Tracking with subject in the whole organization. In our case we are using the subject “Virus Infected” .
Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Messagesubject “Virus Infected” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp
Imp Note Note:
Hi Please add your account to Discovery Management role group for the search-mailbox command to work.
Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator
Above method can be used to identify and delete any circulated spam email in our organization.
Thanks
Sathish Veerapandian
MVP – Exchange Server
Very good information to trouble shoot the Spam related issue.
LikeLike
Your welcome buddy
LikeLike
Hi Satish. I followed your instructions as above, and successfully went thru the first 2 steps i.e. To Create – New-RoleGroup…..and To Add user – Add-RoleGroupMember….when I try to run the next commands it gives me this error:
[PS] C:\Windows\system32>get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery `Subject:”M
EDICAL XXXXXX”‘ -LogOnly -TargetMailbox XXXX -TargetFolder filter -LogLevel Full
search-mailbox : The term ‘search-mailbox’ is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:57
+ get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQu …
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (search-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
[PS] C:\Windows\system32>get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery `Subject:”M
EDICAL XXXXX”‘ -TargetMailbox XXXX -TargetFolder filter -deletecontent -LogLevel Full
search-mailbox : The term ‘search-mailbox’ is not recognized as the name of a cmdlet, function, script file, or
operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
again.
At line:1 char:57
+ get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQu …
+ ~~~~~~~~~~~~~~
+ CategoryInfo : ObjectNotFound: (search-mailbox:String) [], CommandNotFoundException
+ FullyQualifiedErrorId : CommandNotFoundException
Kindly let me know what I should do next.
LikeLike
Hi Please add your account to Discovery Management role group and then try the command
Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator.
LikeLike
my account is already added to the discovery management role group.
LikeLike
Can you paste the command and the error that you are getting
LikeLike