{"id":82,"date":"2015-02-13T16:27:01","date_gmt":"2015-02-13T21:27:01","guid":{"rendered":"http:\/\/www.ccrossan.com\/?p=82"},"modified":"2016-07-07T08:04:32","modified_gmt":"2016-07-07T12:04:32","slug":"cleaning-up-exchange-messages-with-search-mailbox","status":"publish","type":"post","link":"https:\/\/crossan007.dev\/blog\/microsoft-exchange\/cleaning-up-exchange-messages-with-search-mailbox\/","title":{"rendered":"Cleaning Up Exchange Messages with Search-Mailbox"},"content":{"rendered":"\n
Tweet<\/a><\/div>\n

Like most sysadmins, I receive notifications from end users about SPAM showing up in their inbox. \u00a0While not all spam can be avoided, we can deal with it. \u00a0I wanted to lessen the impact of already delivered spam and potentially avert a crisis if the same phishing email is sent to all 1500 mailboxes, so I whipped up this script to search out and destroy these messages from my Exchange environment:<\/p>\n

$Subject = “About your last transaction”
\n$StartDate = $(‘1\/1\/2015’)
\n$BodyLanguage = “sellam.fr”
\n$TargetMailbox = “spamdump”
\n$TargetFolder = “WHD2918”<\/p>\n

$Search = [scriptblock]::Create(“Received>=`”$StartDate`” and Subject:`”$Subject`” and `”$BodyLanguage`””)<\/p>\n

Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery $Search -targetmailbox $TargetMailbox -targetfolder $TargetFolder -loglevel full -logonly<\/p><\/blockquote>\n

Note the last flag in the last line of the script: “-logonly.” \u00a0Be very careful to run the command with this command the first go-round. \u00a0This ensures that the query you specify does not grab messages that it shouldn’t (and you wind up deleting everyone’s entire mailbox). \u00a0The result of logonly is an excel file in the target mailbox with the headers of the resultant messages.<\/p>\n

After reviewing the messages, replace -logonly with -deletecontent. \u00a0This will actually move the messages from the users’ mailboxes into the target mailbox.<\/p>\n

If you want to modify the query, take a look into how Search-Mailbox actually works. \u00a0 Search-Mailbox uses KQL<\/a>, so be sure to brush up on the syntax. \u00a0If you’ve beocme accustomed to the powershell boolean operators such as “-and,” You’ll be unpleasantly surprised when you learn that the same operator will evaluate to “not and” in KQL<\/p>\n","protected":false},"excerpt":{"rendered":"

I wanted to lessen the impact of already delivered spam and potentially avert a crisis if the same phishing email is sent to all 1500 mailboxes<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":[],"categories":[28],"tags":[51,50,47,29,49,52,31],"yoast_head":"\n\n\n\n\n\n\n\n\n\n\n\n\t\n\t\n\t\n