Steps to Delete circulated Suspicious emails with Search-Mailbox

In this article we will have a look at steps to identify the spam emails circulated in an environment. When a user suspects any spam email and informs the IT Team  first and the foremost thing that would come to an Admin is that whether the emails have been circulated to everyone or not.

There are multiple scenarios where the spam messages can be circulated in an environment.

  • From single spam source  email address to single recipient.
  • From Single spam email address to multiple recipients.
  • From multiple spam email address to multiple recipients with different subject line.

Its always better to make a search in the whole organization to make sure the emails are not circulated to all the users.

The easiest way to identify the spam emails is to run a search command with the subject line so that all the affected mailbox can be identified.

Now we will have a look at the steps to perform this action with search-mailbox command.

First we need to add the user who is going to perform this task to Discovery Management group
This should be done in order to use the search-mailbox command. If we do not add this then the user won’t be able to run search command.

Create a new role group as below. We need this in order to export/Import the contents from the source mailbox and copy it to the target mailbox.
Run the below commands to create the role group if we don’t have already . If we have the import/export rolegroup already then just add the user who is going to perform this action into that rolegroup.
To Create –  New-RoleGroup “Mailbox Import-Export Management” -Roles “Mailbox Import Export”
To Add user – Add-RoleGroupMember “Mailbox Import-Export Management” -Member Administrator

newsearch5

Even if single user suspects a virus message it is better to search in the whole organization to make sure the emails are not circulated to others.Now run the below command to search the virus email throughout the organization. In our example we are going to identify an infected email with the subject “Virus Infected”

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -LogOnly -TargetMailbox administrator -TargetFolder filter -LogLevel Full

NewSearch1

Once we run the command we could see the searching would be started as shown in the above screenshot. The search results may take some time depending upon the environment and number of mailboxes we have.

Upon a successful completion of search we can see the logs and the emails in the zip file attached as shown in the screenshot.

newsearch2

Now we need to run the below command to search the infected emails and delete all of them in the whole organization

get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery ‘Subject:”virus infected”’ -TargetMailbox administrator -TargetFolder filter -deletecontent -LogLevel Full

newsearch4

Once it identifies the affected emails it would ask us for confirmation as shown above before deleting the suspected emails as shown in the screenshot above.

Apart from the above as an additional part of security check we can also run a message tracking with the subject in the whole organization to see to whom all the infected emails have been circulated and ensure all the emails have been deleted.

Run the below command to perform a Message Tracking with subject in the whole organization. In our case we are using the subject “Virus Infected” .

Get-ExchangeServer | where {$_.isHubTransportServer -eq $true -or $_.isMailboxServer -eq $true} | Get-MessageTrackingLog -Messagesubject “Virus Infected” | Select-Object Timestamp,ServerHostname,ClientHostname,Source,EventId,Recipients | Sort-Object -Property Timestamp

newsearch6

Imp Note Note:

Hi Please add your account to Discovery Management role group for the search-mailbox command to work.

Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator

Above method can be used to identify and delete any circulated spam email in our organization.

Thanks

Sathish Veerapandian

MVP – Exchange Server

6 thoughts on “Steps to Delete circulated Suspicious emails with Search-Mailbox

  1. Murali October 17, 2014 at 8:24 am Reply

    Very good information to trouble shoot the Spam related issue.

    Like

  2. Khuzema May 4, 2015 at 1:38 pm Reply

    Hi Satish. I followed your instructions as above, and successfully went thru the first 2 steps i.e. To Create – New-RoleGroup…..and To Add user – Add-RoleGroupMember….when I try to run the next commands it gives me this error:

    [PS] C:\Windows\system32>get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery `Subject:”M
    EDICAL XXXXXX”‘ -LogOnly -TargetMailbox XXXX -TargetFolder filter -LogLevel Full
    search-mailbox : The term ‘search-mailbox’ is not recognized as the name of a cmdlet, function, script file, or
    operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
    again.
    At line:1 char:57
    + get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQu …
    + ~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (search-mailbox:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    [PS] C:\Windows\system32>get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQuery `Subject:”M
    EDICAL XXXXX”‘ -TargetMailbox XXXX -TargetFolder filter -deletecontent -LogLevel Full
    search-mailbox : The term ‘search-mailbox’ is not recognized as the name of a cmdlet, function, script file, or
    operable program. Check the spelling of the name, or if a path was included, verify that the path is correct and try
    again.
    At line:1 char:57
    + get-mailbox -ResultSize unlimited -IgnoreDefaultScope | search-mailbox -SearchQu …
    + ~~~~~~~~~~~~~~
    + CategoryInfo : ObjectNotFound: (search-mailbox:String) [], CommandNotFoundException
    + FullyQualifiedErrorId : CommandNotFoundException

    Kindly let me know what I should do next.

    Like

    • sathishveerapandian May 4, 2015 at 1:47 pm Reply

      Hi Please add your account to Discovery Management role group and then try the command

      Add-RoleGroupMember -Identity “Discovery Management” -Member Administrator.

      Like

  3. Khuzema May 4, 2015 at 3:52 pm Reply

    my account is already added to the discovery management role group.

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: