Removing specific messages from your Exchange Server


Ever so often, an Exchange administrator faces a situation where messages that fit specific criteria need to be removed from a large number of mailboxes or from Exchange transport queues. The need may arise due to some sort of mass mailing, a message sent accidentally to a large distribution group or individual recipients, or it could be one of the steps required to be taken as a part of cleanup efforts after a mass-mailing virus outbreak (although the latter have been increasingly rare and generally taken care of by Exchange-aware antivirus scanners).

The steps for accomplishing this are documented in various places in Exchange documentation, but it can be difficult to refer to multiple sources if you have a mixed environment containing several versions of Exchange Server. We wanted to provide a single place with somewhat generic instructions on how to accomplish these tasks across all currently supported versions of Exchange Server – Exchange 2010, Exchange 2007, and Exchange 2003.

Removing messages from mailboxes

Removing messages using the Shell in Exchange 2010 RTM and Exchange 2007

In Exchange 2010 RTM and Exchange 2007, you can use the Export-Mailbox cmdlet to export or delete messages. In Exchange 2010 SP1, the functionality to export a mailbox is provided by the New-MailboxExportRequest cmdlet and is covered in a separate article. The functionality to search and delete messages is provided by the Search-Mailbox cmdlet.

Permissions

In Exchange 2010, the Mailbox Export Import RBAC role must be assigned to the account used to perform this operation (using Export-Mailbox in Exchange 2010 RTM or Search-Mailbox in Exchange 2010 SP1). If the role isn’t assigned, you’ll be unable to run or “see” the cmdlet.

The versatile Export-Mailbox cmdlet can export mailbox content based on specific folder names, date and time range, attachment file names, and many other filters. A narrow search will go a long way in preventing accidental deletion of legitimate mail. For more details, syntax and parmeter descriptions, see the following topics:

The account used to export the data must be an Exchange Server Administrator, a member of the local Administrators group of the target server, and have Full Access mailbox permission assigned on the source and target mailboxes. The target mailbox you specify must already be created; the target folder you specify is created in the target mailbox when the command runs.

Adding and removing the necessary permissions

This example retrieves all mailboxes from an Exchange organization and assigns the Full Access mailbox permission to the MyAdmin account. You must run this before exporting or deleting messages from user mailboxes. Note, if you need to export or delete messages only from a few mailboxes, you can use the Get-Mailbox cmdlet with appropriate filters, or specify each source mailbox.

Get-Mailbox -ResultSize unlimited | Add-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all

After exporting or deleting messages from mailboxes, you can remove the Full Access mailbox permission, as shown in this example:

Get-Mailbox -ResultSize unlimited | Remove-MailboxPermission -User MyAdmin -AccessRights FullAccess -InheritanceType all

Removing messages

Here are a few examples that remove messages.

This example removes all messages with the subject keyword “Friday Party” and received between Sept 7 and Sept 9 from the Inbox folder of mailboxes on Server1. The messages will be deleted from the mailboxes and copied to the folder DeleteMsgs of the MyBackupMailbox mailbox. The Administrator can now review these items or delete them from the MyBackupMailbox mailbox. The StartDate and EndDate parameters must match the date format setting on the server, whether it is mm-dd-yyyy or dd-mm-yyyy.

Get-Mailbox -Server Server1 -ResultSize Unlimited | Export-Mailbox -SubjectKeywords “Friday Party” -IncludeFolders “\Inbox” -StartDate “09/07/2010” -EndDate “09/09/2010” -DeleteContent -TargetMailbox MyBackupMailbox -TargetFolder DeleteMsgs -Confirm:$false

This example removes all messages that contain the words “Friday Party” in the body or subject from all mailboxes.

Depending on the size of your environment, it is better to do the extraction/deletion in batches by using the Get-Mailbox cmdlet with the Server or Database parameters (Get-Mailbox -Server servername -ResultSize Unlimited or Get-Mailbox -Database DB_Name -ResultSize Unlimited), or specifying a filter using the Filter parameter. You can also use the Get-DistributionGroupMember cmdlet to perform this operation on members of a distribution group.

Get-Mailbox -ResultSize Unlimited | Export-Mailbox -ContentKeywords “Friday Party” -TargetMailbox MyBackupMailbox -TargetFolder ‘Friday Party’ -DeleteContent

It is recommended to always use a target mailbox (by specifying the TargetMailbox and TargetFolder parameters) so you have a copy of the data. You can review messages before purging them so any legitimate mail returned by the filter can be imported back to its owner mailbox. However, it is possible to outright delete all messages without temporarily copying them to a holding mailbox.

This example deletes all messages that contain the string “Friday Party” in the message body or subject, without copying them to a target mailbox.

Get-Mailbox | Export-Mailbox -ContentKeywords “Friday Party” -DeleteContent

Removing messages on Exchange 2003 and Exchange 2000 using ExMerge

The ExMerge utility can be used to extract mail items from mailboxes located on legacy Exchange Server versions. Follow the steps in KB 328202 HOW TO: Remove a Virus-Infected Message from Mailboxes by Using the ExMerge.exe Tool to remove unwanted messages from user mailboxes.

Removing messages from Public Folders

You can use the Outlook Object Model to remove messages from Public Folders. This works on any version of Exchange. The down side is that it’s slower and may stumble when it hits huge folders with tens of thousands of items. In Exchange 2010/2007, you can use Exchange Web Services to remove messages from Public Folders. EWS has no problem running against large folders.

The following posts have more details:

Removing messages from mail queues

There may be times where you need to purge messages from Exchange Server’s mail queues to prevent delivery of unwanted mail. For more details about mail queues, see Understanding Transport Queues.

Removing messages from mail queues on Exchange 2010 RTM and Exchange 2007

Removing a message from the queue is a two-step process. The first thing that must be done is that the message itself must be suspended. Once the messages have been suspended then you can precede with removing them from the queue. The below commands are based on suspending and removing messages based on the Subject of the message.

Exchange 2007 SP1 and SP2

This command suspends messages with the string “Friday Party” from transport queues on all Hub Transport servers in your Exchange organization:

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.Subject -eq “Friday Party” -and $_.Queue -notlike “*\Submission*”} | Suspend-Message

On Exchange 2007 RTM to SP2, you will not be able to suspend or remove message that are held in the Submission queue. So the command will not run against the messages in the submission queue.

This command removes all suspended messages from queues other than the Submission queue.

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where{$_.status -eq “suspended” -and $_.Queue -notlike “*\Submission*”} | Remove-Message -WithNDR $False

Exchange 2010 and Exchange 2007 SP3

This command suspends messages that have the string “Friday Party” in the message subject in all queues on Hub Tranpsort servers.

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | where {$_.Subject -eq “Friday Party”} | Suspend-Message

This command removes messages that have the string “Friday Party” in the message subject in all queues on Hub Transport servers:

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Subject -eq “Friday Party”} | Remove-Message -WithNDR $False

Note, you can run the command against an individual Hub Transport server by specifiying the server name after Get-TransportServer.

Suspend and remove messages from a specified transport queue

You can also suspend and remove messages from a specified queue. To retrieve a list of queues on a transport server, use the Get-Queue cmdlet.

This example suspends messages with the string “Friday Party” in the message subject in a specified queue.

Get-Message -Queue “server\queue” -ResultSize unlimited | where{$_.Subject -eq “Friday Party”} | Suspend-Message

This example removes messages with the string “Friday Party” in the message subject in the specified queue.

Get-Message -Queue “server\queue” -ResultSize unlimited | where{$_.Subject -eq “Friday Party” } | Remove-Message -WithNDR $False

Clear queues in Exchange Server 2000 and Exchange Server 2003 with MFCMAPI

In Exchange 2003/2000, you can use MFCMapi to clear the queues. For details, see KB 906557 How to use the Mfcmapi.exe utility to view and work with messages in the SMTP TempTables in Exchange 2000 Server and in Exchange Server 2003.

If there are a large number of messages in the queue, you may want to limit how many are displayed at a time. From the tool bar select Other > Options and under Throttle Level change the value to a more manageable number (for example, 1000).

Preventing message delivery using Transport Rules

In Exchange 2010 and Exchange 2007, you can use Transport Rules to inspect messages in the transport pipeline and take the necessary actions, such as deleting a message, based on the specified criteria. See Understanding Transport Rules for more details.

On Exchange 2010 and Exchange 2007, you can use the New Transport Rule wizard from the EMC to easily create transport rules. The following examples illustrate how to accomplish this using the Shell. Note the variation in sytnax between the two versions. (The Exchange 2010 transport rule cmdlets have been simplified, allowing you to create or modify a transport rule using a one-line command.)

Creating a Transport Rule to delete messages in Exchange 2010

This example creates a transport rule to delete messages that contain the string “Friday Party” in the message subject.

New-TransportRule -Name “purge Friday Party messages” -Priority ‘0’ -Enabled $true -SubjectContainsWords ‘Friday Party’ -DeleteMessage $true

Creating a Transport Rule to delete messages in Exchange 2007

This example creates a transport rule to delete messages that contain the string “Friday Party” in the message subject.

$condition = Get-TransportRulePredicate SubjectContains
$condition.Words = @(“Friday Party”)
$action = Get-TransportRuleAction DeleteMessage
New-TransportRule -name “purge Friday Party messages” -Conditions @($condition) -Actions @($action) -Priority 0

Note: If your Exchange Organization has mixed Exchange 2007 and Exchange 2010 you will have to create a rule for each Exchange version.

Angelique Conde, Ed Bringas


Comments (17)
  1. Ratish Nair says:

    This is amazing. Shell does Magic but still we miss ExMerge.

    Ratish Nair

    MVP-Exchange

  2. Harikrishnan Sivaprakasam says:

    When a Exchange Admin thinks of removing messages he can think of this post. Great Work!!

  3. Jeff Sullivan says:

    Thanks for putting together a comprehensive doc on removing messages – very helpful! Can you also include the procedure for Exchange 2010 SP1, since it doesn’t use Export-Mailbox?

  4. Adam Solomon says:

    This issue does come up as people send career limiting e-mails — or viruses.  Is there a 2010 SP1 procedure for extracting messages?

    Is there some way to do it quickly in large environments?  The last time I had to do this in 2007 it took an uncomfortably long time (2000+ mailboxes w/1TB of mail).

  5. Daniel says:

    one question: Why write up this useful article when it doesn’t work in the current version of Exchange (2010SP1). Getting rid of the export-mailbox is something that shouldn’t have happened. i like the new mailbox export request except for one thing: there’s no delete content switch!

  6. Bharat Suneja [MSFT] says:

    @Daniel: As mentioned in the post, you can use the
    Search-Mailbox
    cmdlet, which has the -DeleteContent switch. See
    Use Mailbox Search to Delete Messages.

  7. Anthony says:

    Can you document which property keywords are available to Search-Mailbox?  I am trying to delete all messages that do not have attachments and hasattachment:false, hasattachment:no, hasattachments:no, isattachment:false, and isattachment:no do not work.

  8. Bharat Suneja says:

    @Anthony: You can use keywords supported by Exchange Search. See
    Understanding Exchange Search
    for a list. The
    HasAttachment
    keyword isn’t one of them.  

    If you use unsupported keywords in SearchQuery, you’ll get an error stating
    The property keyword isn’t supported.

  9. Andrew phillips says:

    @Bharat: The link you provided on Enderstanding Exchange Search shows this example:

    From:"April Stewart" HasAttachments:true Subject:Contoso.

    Is the example wrong or perhaps misleading in showing the use of "HasAttachments"?

  10. Brian S says:

    We used this recently after a 0-day exploit virus (‘here you have’) sent spam messages on our Exchange Server. We quickly got a transport rule in place to stop them, but still needed to get the ones that made it through, removed from Exchange DBs. Very useful tool.

    Don’t forget to use the -MaxThreads parameter to speed up the process (default is 4…max is 10 I believe?)

  11. andy says:

    We keep getting watered down capabilities of exmerge over and over.  Now the ability to delete a folder tree from a mailbox seems to be gone.  I can export the folder tree and specify Includ Folders, but I can’t see how to delete everything below a certain folder (subfolders included) from a mailbox.  search-mailbox doesn’t allow for specifying a root of the search or a specific folder within the mailbox.

  12. Brian says:

    Export-Mailbox is slow (even when using the MaxThreads 10 switch).  Bring back ExMerge!

  13. Partyface says:

    We are upgrading Exchange 2010 to SP1 and a new possibility  export mailboxes to .pst file ( New-MailboxExportRequest) is very slow. After the queue checking (Get-MailboxExportRequest) we recognized the process works only 5 threads and realy very very slow. Maxthreads option does not exist.

    Any help will be appreciated.

  14. anandkumardeva says:

    Great article…Appriciated…

  15. Anca says:

    Nice idea, beautiful post!

  16. Jeff says:

    Is there a way in Exchange 2010 to target just one user-created folder with Search-Mailbox? The situation is that we deployed a folder via a 3rd party application to all mailboxes. Now we want to copy all the items in that folder (and subsequent subfolders) to the archive and, if possible, delete the original items and folders. I could have done this in 2007 using Export-Mailbox with Include-Folder, but in Exchange 2010 with Search-Mailbox there does not appear to be a way for me to scope the search to a specific folder.

  17. James says:

    Good article, but the export-mailbox -DeleteContent in E2K7 only does a soft delete, and thus a user is able to restore the message, how can you do a hard delete?

Comments are closed.