다음을 통해 공유


Email Deletion from Multiple Mailboxes

1.0 Purpose

Many of the scenarios exist when one may need to delete the emails from the user’s mailboxes but below are one from the most common scenarios in Organizations where email deletion from mailboxes may be needed:-

1. Malicious Email

2. Confidential Email sent to wrong recipients

3. Need to remove an Email with Specific criteria from all/single mailboxes

2.0 Permission and Limitation

Permission: - User performing this task must be member of the DL ‘Discovery Management’

Limitation: -

  • This query can only return max 10,000 item for a single mailbox.
  • Query for Exchange 2010 and 2013 mailboxes must be executed from Exchange Management of the respective server.
  • Email can’t be permanently deleted from users on Litigation Hold. Deleted email will always remain in purge or version folder of that user’s store.

3.0 Verify and Copy Email

Ensure that the right email is being deleted. In case of any mistake, incorrect messages could be deleted. As an additional safeguard, first copy email to another mailbox by using the TargetMailbox and TargetFolder parameters. By doing this, we retain a copy of the deleted messages in case that is needed further.

3.1 Verify for Single Mailbox

Open Exchange PowerShell on Exchange 2013/2010 Server and run below command:-

This example searches mailbox for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will copy message into SpoofEmail folder of mailbox specified in TargetMailbox.

Search-Mailbox -Identity <Mailbox Email Address> -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -TargetMailbox <Mailbox Email Address>-TargetFolder "SpoofEmail"

This example searches mailbox for the messages that contain the phrase "Email Maintenance" in Subject and sender is virus@spam.au, It will copy the message into SpoofEmail folder target mailbox.

Search-Mailbox -Identity <Mailbox Email Address> -SearchQuery “From:virus@spam.au and Subject:Email Maintenance” TargetMailbox <Mailbox Email Address> -TargetFolder "SpoofEmail"

Note: - Refer Section 5.0 to Build Additional Search Query

3.2 Verify for multiple Mailbox

1)     Copy Mailbox.txt on desktop of your user profile and put mailbox email address or Display name need to be queried.

2)        Now run this command from Exchange Powershell :-

This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will copy message into SpoofEmail folder of mailbox specified in TargetMailbox. 

gc C:\Users\UserProfile>\Desktop\Mailbox.txt | % {Search-Mailbox -Identity $_ -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -TargetMailbox <Mailbox Email Address> -TargetFolder "SpoofEmail" }

4.0 Email Deletion

Once it is verified that correct email is being deleted and copy has been made for those emails. Run mentioned commands.

4.1 Deletion for Single Mailbox

Open Exchange PowerShell on Exchange 2013/2010 Server and run below command:-

This example searches mailbox for the messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment and deletes those email.

Search-Mailbox -Identity <Mailbox Email Address> -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} –Deletecontent -Force

4.2 Deletion for Multiple Mailboxes

1)     Copy Mailbox.txt on desktop of your user profile and put mailbox email address or Display name need to be queried.

2)     Modify the parameter –SearchQuery according to the scenario then run command from Exchange Powershell :-

This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment.

*gc C:\Users\UserProfile>\Desktop\mailbox.txt | % {Search-Mailbox -Identity $_ -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -deletecontent -Force}
*

5.0 Building different Search Queries

# This example searches mailbox Test1 where messages that contain the phrase "Wire Transfer" in Body AND Subject is Money Transfer OR Address abc@test.com is in any of the field (To,CC,BCC,From), It will copy the message into SpoofEmail folder of Test2’s mailbox

Search-Mailbox –ID ‘Test1’ -SearchQuery {Body:"Wire Transfer" AND Subject:"Money Transfer" OR Participants:abc@test.com} -TargetMailbox Test2 -TargetFolder "SpoofEmail"

# This example searches mailbox Test1 where messages that contain the phrase "Email Maintenance" and sender is virus@spam.au, It will copy the message into SpoofEmail folder of Test2 mailbox

Search-Mailbox –ID ‘test1’ -SearchQuery “From:virus@spam.au and Subject:Email Maintenance” -TargetMailbox Test2 -TargetFolder "SpoofEmail"

# This example searches mailboxes mentioned in Mailbox.txt file for messages that contain the phrase "Backup Exec alert" OR “xyzsdd" in the subject and contains spoof.docx attachment, It will logs the result in the SpoofEmail folder in the Test2 mailbox. Messages will be copied into target mailbox.

GC C:\Users\UserProfile>\Desktop\Mailbox.txt | % {Search-Mailbox -Identity $_ -SearchQuery {Subject:"Backup Exec alert" OR Subject:"xyzsdd" AND attachment:spoof.docx} -TargetMailbox Test2 -TargetFolder "SpoofEmail" }

Different Queries can be built with help of different properties and here is the sheet of searchable properties in Exchange, Please refer link for more information.

Property

Property description

Examples

Search results returned by the examples

Attachment

The names of files attached to an email message.

attachment:annualreport.ppt

Messages that have an attached file named annualreport.ppt.

attachment:annual*

In the second example, using the wildcard returns messages with the word "annual" in the file name of an attachment.

Bcc

The BCC field of an email message.1

bcc:pilarp@contoso.com

All examples return messages with Pilar Pinilla included in the Bcc field.

bcc:pilarp

bcc:"Pilar Pinilla"

Body

Text in the body of an email message.

body:"Northwind Traders"

Messages with the exact phrase "Northwind Traders" in the body of the message. The second example returns any message that contains words that begin with the string "north", such as north, northwind, or northern.

body:north*

 

Cc

The CC field of an email message.

cc:pilarp@contoso.com

In both examples, messages with Pilar Pinilla specified in the CC field.

cc:"Pilar Pinilla"

From

The sender of an email message.

from:pilarp@contoso.com

Messages sent by the specified user or sent from a specified domain.

from:contoso.com

importance:medium

importance:low

Participants

All the people fields in an email message; these fields are From, To, CC, and BCC.1

participants:garthf@contoso.com

Messages sent by or sent to garthf@contoso.com.

participants:contoso.com

The second example returns all messages sent by or sent to a user in the contoso.com domain.

Received

The date that an email message was received by a recipient.

received:04/15/2014

Messages that were received on April 15, 2014. The second example returns all messages received between January 1, 2014 and March 31, 2014.

received>=01/01/2014 AND received<=03/31/2014

Recipients

All recipient fields in an email message; these fields are To, CC, and BCC.1

recipients:garthf@contoso.com

Messages sent to garthf@contoso.com.

recipients:contoso.com

The second example returns messages sent to any recipient in the contoso.com domain.

Sent

The date that an email message was sent by the sender.

sent:07/01/2014

Messages that were sent on the specified date or sent within the specified date range.

sent>=06/01/2014 AND sent<=07/01/2014

Subject

The text in the subject line of an email message.

subject:"Quarterly Financials"

Messages that contain the exact phrase "Quarterly Financials" in the subject line.

subject:northwind

The second example returns all messages that contain the word northwind in the subject line.

To

The To field of an email message.1

to:annb@contoso.com

All examples return messages where Ann Beebe is specified in the To: line.

to:annb

to:"Ann Beebe"