Email Deletion from Multiple Mailboxes
1.0 Purpose
Many of the scenarios exist when one may need to delete the emails from the user’s mailboxes but below are one from the most common scenarios in Organizations where email deletion from mailboxes may be needed:-
1. Malicious Email
2. Confidential Email sent to wrong recipients
3. Need to remove an Email with Specific criteria from all/single mailboxes
2.0 Permission and Limitation
Permission: - User performing this task must be member of the DL ‘Discovery Management’
Limitation: -
- This query can only return max 10,000 item for a single mailbox.
- Query for Exchange 2010 and 2013 mailboxes must be executed from Exchange Management of the respective server.
- Email can’t be permanently deleted from users on Litigation Hold. Deleted email will always remain in purge or version folder of that user’s store.
3.0 Verify and Copy Email
Ensure that the right email is being deleted. In case of any mistake, incorrect messages could be deleted. As an additional safeguard, first copy email to another mailbox by using the TargetMailbox and TargetFolder parameters. By doing this, we retain a copy of the deleted messages in case that is needed further.
3.1 Verify for Single Mailbox
Open Exchange PowerShell on Exchange 2013/2010 Server and run below command:-
This example searches mailbox for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will copy message into SpoofEmail folder of mailbox specified in TargetMailbox.
Search-Mailbox -Identity <Mailbox Email Address> -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -TargetMailbox <Mailbox Email Address>-TargetFolder "SpoofEmail"
This example searches mailbox for the messages that contain the phrase "Email Maintenance" in Subject and sender is virus@spam.au, It will copy the message into SpoofEmail folder target mailbox.
Search-Mailbox -Identity <Mailbox Email Address> -SearchQuery “From:virus@spam.au and Subject:Email Maintenance” TargetMailbox <Mailbox Email Address> -TargetFolder "SpoofEmail"
Note: - Refer Section 5.0 to Build Additional Search Query
3.2 Verify for multiple Mailbox
1) Copy Mailbox.txt on desktop of your user profile and put mailbox email address or Display name need to be queried.
2) Now run this command from Exchange Powershell :-
This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will copy message into SpoofEmail folder of mailbox specified in TargetMailbox.
gc C:\Users\UserProfile>\Desktop\Mailbox.txt | % {Search-Mailbox -Identity $_ -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -TargetMailbox <Mailbox Email Address> -TargetFolder "SpoofEmail" }
4.0 Email Deletion
Once it is verified that correct email is being deleted and copy has been made for those emails. Run mentioned commands.
4.1 Deletion for Single Mailbox
Open Exchange PowerShell on Exchange 2013/2010 Server and run below command:-
This example searches mailbox for the messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment and deletes those email.
Search-Mailbox -Identity <Mailbox Email Address> -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} –Deletecontent -Force
4.2 Deletion for Multiple Mailboxes
1) Copy Mailbox.txt on desktop of your user profile and put mailbox email address or Display name need to be queried.
2) Modify the parameter –SearchQuery according to the scenario then run command from Exchange Powershell :-
This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment.
*gc C:\Users\UserProfile>\Desktop\mailbox.txt | % {Search-Mailbox -Identity $_ -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -deletecontent -Force}
*
5.0 Building different Search Queries
# This example searches mailbox Test1 where messages that contain the phrase "Wire Transfer" in Body AND Subject is Money Transfer OR Address abc@test.com is in any of the field (To,CC,BCC,From), It will copy the message into SpoofEmail folder of Test2’s mailbox
Search-Mailbox –ID ‘Test1’ -SearchQuery {Body:"Wire Transfer" AND Subject:"Money Transfer" OR Participants:abc@test.com} -TargetMailbox Test2 -TargetFolder "SpoofEmail"
# This example searches mailbox Test1 where messages that contain the phrase "Email Maintenance" and sender is virus@spam.au, It will copy the message into SpoofEmail folder of Test2 mailbox
Search-Mailbox –ID ‘test1’ -SearchQuery “From:virus@spam.au and Subject:Email Maintenance” -TargetMailbox Test2 -TargetFolder "SpoofEmail"
# This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will logs the result in the SpoofEmail folder in the Test2 mailbox. Messages will be copied into target mailbox.
GC C:\Users\UserProfile>\Desktop\Mailbox.txt | % {Search-Mailbox -Identity $_ -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -TargetMailbox Test2 -TargetFolder "SpoofEmail" }
Different Queries can be built with help of different properties and here is the sheet of searchable properties in Exchange, Please refer link for more information.
Property |
Property description |
Examples |
Search results returned by the examples |
Attachment |
The names of files attached to an email message. |
attachment:annualreport.ppt |
Messages that have an attached file named annualreport.ppt. |
attachment:annual* |
In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment. |
||
Bcc |
The BCC field of an email message.1 |
bcc:pilarp@contoso.com |
All examples return messages with Pilar Pinilla included in the Bcc field. |
bcc:pilarp |
|||
bcc:"Pilar Pinilla" |
|||
Body |
Text in the body of an email message. |
body:"Northwind Traders" |
Messages with the exact phrase "Northwind Traders" in the body of the message. The second example returns any message that contains words that begin with the string "north", such as north, northwind, or northern. |
body:north* |
|||
|
|||
Cc |
The CC field of an email message. |
cc:pilarp@contoso.com |
In both examples, messages with Pilar Pinilla specified in the CC field. |
cc:"Pilar Pinilla" |
|||
From |
The sender of an email message. |
from:pilarp@contoso.com |
Messages sent by the specified user or sent from a specified domain. |
from:contoso.com |
|||
importance:medium |
|||
importance:low |
|||
Participants |
All the people fields in an email message; these fields are From, To, CC, and BCC.1 |
participants:garthf@contoso.com |
Messages sent by or sent to garthf@contoso.com. |
participants:contoso.com |
The second example returns all messages sent by or sent to a user in the contoso.com domain. |
||
Received |
The date that an email message was received by a recipient. |
received:04/15/2014 |
Messages that were received on April 15, 2014. The second example returns all messages received between January 1, 2014 and March 31, 2014. |
received>=01/01/2014 AND received<=03/31/2014 |
|||
Recipients |
All recipient fields in an email message; these fields are To, CC, and BCC.1 |
recipients:garthf@contoso.com |
Messages sent to garthf@contoso.com. |
recipients:contoso.com |
The second example returns messages sent to any recipient in the contoso.com domain. |
||
Sent |
The date that an email message was sent by the sender. |
sent:07/01/2014 |
Messages that were sent on the specified date or sent within the specified date range. |
sent>=06/01/2014 AND sent<=07/01/2014 |
|||
Subject |
The text in the subject line of an email message. |
subject:"Quarterly Financials" |
Messages that contain the exact phrase "Quarterly Financials" in the subject line. |
subject:northwind |
The second example returns all messages that contain the word northwind in the subject line. |
||
To |
The To field of an email message.1 |
to:annb@contoso.com |
All examples return messages where Ann Beebe is specified in the To: line. |
to:annb |
|||
to:"Ann Beebe" |