About 3 or 4 times a week a clever spammer gets a message through my Sonicwall ESA and I need to scrub it from the exchange server. I'm network admin at a school, and students are suckers for that stuff. I run the following command as a global admin on my exchange server power shell:
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery 'Subject:"Re-Please Update Your Password"' -DeleteContent
The odd thing is, about 99 out of 100 times it works. Within a few minutes the message with the aforementioned email disappears from my inbox and I go about my day. Once in a while, like today with the exact command listed above, I get a stubborn email that just won't go. At first I thought it was choking on the dash, so I changed the command to:
Get-Mailbox -ResultSize Unlimited | Search-Mailbox -SearchQuery 'Subject:"Please Update Your Password"' -DeleteContent
Still no joy. I'm not getting any errors, the command appears to run like normal. Anyone else run into this before? Any pointers?
Thanks.
-Bishop
I've had similar issues, tho they were more obvious (multiple [8-12] spaces). So instead of running the command over and over increasing the spaces in the query or configuring an expression for every case, I just grabbed the subjectline itself.
find the message in your mailbox, pull the subject into a variable, use that as the Searchquery.
-FS
Related
I am looking for cmdlet which would allow me to search and fetch email body/to/from information. Currently I am using Search-Mailbox but I am getting only the resultItemCount. Any idea how to get actual body via cmdlet?
If you use exchange online powershell.
You can identify emails for the past 48 hours ( up to ten days if you specify start and end date).
$messages = Get-MessageTrace -SenderAddress anEmail#YourExchange.com -StartDate 03/21/2021 -Enddate 03/31/2021
Get-message -messageId $messages[1].messageid
Will return the message from the first one on the list that is returned.
For more info, check out this documentation from microsoftdocs.
https://learn.microsoft.com/en-us/powershell/module/exchange/get-message?view=exchange-ps
Are you an exchange admin?? If you are, or have access to exchange admin credentials, I would check out this tool (which is used by hackers to search email) called MailSniper https://github.com/dafthack/MailSniper It is technically for pentesting... but if you wanted to search your emails for body content this would work.
It's a powershell module, pretty easy to use, just download it, go to that directory in powershell, import the module, and start running the commands. For what you are looking for, some commands to look at are:
Invoke-SelfSearch (if you're looking for your own mailbox)
Invoke-GlobalMailSearch (if you're looking through others' mailboxes)
Okay, so this seems like a silly question, but I can't seem to find anything about it. I've checked in the AQS and haven't seen anything about it yet either. So I'm trying to conduct a search on the subject line of all mailboxes in my organization with a query like this:
foreach ($db in $mdblist) {Get-Mailbox -Database $db -ResultSize Unlimited |
Search-Mailbox -SearchQuery 'subject:"Monthly Expences Report" AND attachment:"Report_######.doc"' -LogOnly -LogLevel FULL -TargetMailbox joseph.c.larrew -TargetFolder Searches\1003333 |
Both the subject parameter and attachment parameter are literal strings and I did mean to spell "expences" that way.
I can do a search for just the subject and a separate search for the attachment and both give positive results, but when I "AND" them, no results. I've done a search against a specific mailbox that I know should come up with a positive and still no dice. Any thoughts?
I need to find a way to check mailbox size and items count under PowerShell, but without using exchange snapin/module.
Normally this command would look like this:
Get-MailboxStatistics "XXX" | ft TotalItemSize, ItemCount
My goal is to checked those things without exchange specific commands. I don't have much knowledge about ADSI, but maybe this is the key to solve this.
Does anyone have any idea?
To preface this all, I am running this script in the US against a US mailbox server. The mail that I am wanting to delete is also mail that I have exported to a PST.
The mailbox Export uses a ContentFilter while a deleteContent uses a SearchQuery. These 2 acts of grabing information seem to act very different to me.
I have successfully been able to export the mail I want to a PST, however deleting the content has been posing a huge problem.
I am trying to delete mailbox items that are before the current get-date using the code below. I swear I have been following Microsoft's documentation on this, however nothing is working for me.
$date = (get-date -hour 00 minute 00 second 00).ToShortDateString()
Search-Mailbox -Identity "id" -SearchQuery "Received:<$($date)" -deleteContent -force
This is not working. I am getting an error:
The property keyword isn't supported.
+ CategoryInfo : InvalidArgument: (:) [], ParserException
Please see edits below as I have fixed my string, however the issue still persists. It seems as though the < is what is messing up the query.
EDIT
"Received:<'$date'" - This executes when I specify it as my SearchQuery however no results come back.
It seems like the < is what is messing up my query. Once I remove the < and leave the query as "Received:'$date'" it deletes all emails from todays date.
Also, it appears that the time is offset by 5 hours when doing this. I am in the US and the mailbox server I am running this on is in the US, yet it is still acting like it could be using UTC time. How do I fix this? More importantely though, why isn't my less than working.
EDIT 2:
I have also attempted to do querys such as "Received -lt '$date'" this is not working also.
Try: $date.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
While the above will get you an ISO 8601 datetime, it doesn't look like the search query is using the full thing. I did find that the below syntax seem to work at least for the date part:
$date = (get-date).Date.ToUniversalTime().ToString("yyyy-MM-ddTHH:mm:ssZ")
Search-Mailbox -Identity "id" -SearchQuery "Received<$date" -deleteContent -force
The SearchQuery argument is using KQL, which is documented at: http://msdn.microsoft.com/en-us/library/office/ee558911(v=office.15).aspx
Unfortunately since it seems Exchange is ignoring the time part, I'm guessing that this is going to be limited to filtering at UTC midnight. Looking at the docs, there is shorthand that will give you the same results:
Search-Mailbox -Identity "id" -SearchQuery "Received<today" -deleteContent -force
I need to run a Get-Mailbox | Get-MailboxStatistics command across a large number of mailboxes but the majority have never been used as it is a new install. As a result, I have to sit through hundreds of lines of
WARNING: There is no data to return for the specified mailbox '<mailbox DN>' because it has not been logged on to.
It would seem that I need to use a server-side filter of some kind but I haven't been able to find anything appropriate.
What can I do here?
There is no server side filtering in Get-MailboxStatistics and I can't repro it. Can you try this:
Get-Mailbox | Get-MailboxStatistics -warningAction silentlyContinue
This is the standard PS behavior for warnings. You can find Shay's parameter in the help for common_parameters get-help about_common_parameters. Alternately, you can set $WarningPreference = silentlycontinue. There are no statistics to return as the mailboxes have not yet been initialized, hence the warning.