I have an external service which provides blacklist and RBL filtering, as well as SPAM fingerprinting. It’s pretty effective. Even so, here’s one that comes up fairly regularly: an email with a malicious link makes it into many user’s mailboxes.
Usually this sender is trusted, such as an employee’s personal email address, a customer’s address, or the like. With that, lots of people will assume it’s legit and click the link…and it’s off to the races depending how well you’re patched against things like the recent wave of Java 0-days.
In this scenario, I received such email from a known good customer. In the To and CC lines, I saw many people in my organization ended up on the receiving end of this email, too.
Here’s a quick Powershell script to run that’ll scoop out emails from your Exchange store using any combination of subject, from sender, and sent date.
Get-Mailbox -resultsize unlimited | Search-Mailbox -SearchQuery “Subject:xxxxxx",”From:firstname.lastname@example.org”,”Sent:02/22/2013" –DeleteContent -TargetMailbox “email@example.com” -TargetFolder “export-folder” -loglevel full
Ok, so let’s look at that really quickly. We’re using the Exchange Powershell module and calling the Get-Mailbox cmdlet with no extra arguments other than “-resultsize unlimited”. This makes the entire mailstore your searchbase. Next, we pipe the search base to “search-mailbox” with our query criteria. Like I mentioned, you can mix and match based on what you have to work with – so if the message you need deleted has no subject, take that out, if it’s from random email addresses but has a common subject, take that out.
The last part is DeleteContent with a target mailbox. This should be an admin users’ box – what this does is it deletes mail from any other users’ box and drops it into your TargetFolder (if this folder doesn’t exist, it’ll be created for you). Now you can verify all the messages you wanted deleted are present in Outlook/OWA and erase the folder. Malicious message gone from your Exchange server!
Remember, the more specific you are, the better. Searching for any email with the subject of “Hey” mailed last Thursday WILL delete all messages that match, legit or not.
Also useful for when you send the embarrassing tale of your weekend escapades to “All” instead of “Allie”, the cute girl in accounting.