Finding a list of users who have been Spammed?

Exchange 2010
Deleting an Unwanted email and finding information afterwards.

We had a user compromised and the Account got set up to Spam a whole bunch of places. I did a search of the email server with.....Get-mailbox | search-mailbox -searchquery "name of subject" -Logonly -Targetmailbox domain\username -Targetfolder Inbox.

The screen scrolls by with the number of emails containing the "name of subject" in users accounts that had it. Then it sends an email with the Total amount to the Targetmailbox.......this showed up around 40K emails

I then Deleted those emails with:
Get-mailbox | search-mailbox -searchquery "name of subject" -DeleteContent
I typed A for all.

Been doing this for years actually. However today I would like to know "just who had them". Can I find this out after the fact? The screen scrolls by so quickly......
Peter AndersenSenior System AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

I do not believe you can retroactively go back and determine this information after the fact.  post deletion.
Only log I can think of that would hold this information would be the exchange transaction logs and chances are they don't go back that far.
Peter AndersenSenior System AnalystAuthor Commented:
The CMD screens are still on the screen where the users scrolled by but of course there are too many for the screen I can still see around 25 but one can't scroll up that get to the start.
Determine the Perfect Price for Your IT Services

Do you wonder if your IT business is truly profitable or if you should raise your prices? Learn how to calculate your overhead burden with our free interactive tool and use it to determine the right price for your IT services. Download your free eBook now!

ahhh.. so you are talking about this time.. I thought you were talking about historically..
try this.. create a powershell script file ..

These two Powershell commands can help you capture and save what you have type during your Powershell session: 
Start-Transcript and Stop-Transcript. 
Start Powershell 
At the prompt, type: 
PS> Start-Transcript c:\temp\CaptureDemo.txt 
{this command need a filename to store you sesion data} 
Now, type any command: 
PS> Get-Service 
PS> Get-Service | Get-member 
Then, stop the transcript: 
PS> Stop-Transcript 
To view the result change directory to C:\Temp then use the Powershll command "ii": 
PS> CD C:\Temp 
PS> ii C:\Temp\capturedemo.txt 
This command "ii" will open notepad and display the content of the file.

Open in new window

use the start-transcript and stop-transcript command to log the output to a file and the search using a text editor
#File Location used to store output file
Start-Transcript c:\temp\CaptureDemo.txt

#Powershell Command used to find output.. 
Get-mailbox | search-mailbox -searchquery "name of subject" -Logonly -Targetmailbox domain\username -Targetfolder Inbox.

#Stop the recording

Open in new window

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter AndersenSenior System AnalystAuthor Commented:
yeah just happened this morning. In my haste to get them off the System I just ran the command however my Supervisor is asking for a list of who got it.
In hindsight I really should have done a bit more checking but the Subject line was pretty unique.....Monday morning immediately faced with this as I walked in the door. However I just checked on our Backup Server and there were no messages yesterday on hte backup. Veeam Backup Software is AWESOME!
If you still have the information in the command window can you scroll up and see the output? if you can then you can just copy it.. If you can't then I can't think of a way that you can get that information until the next time.. Add the code above into your script and it will copy the output of your delete script and everything that it does for archival purposes.
Peter AndersenSenior System AnalystAuthor Commented:
I will use that for the next time for sure however I have the feeling I am screwed this time as I can't scroll up far enough.
This might be the only other option.. If you ran it though Exchange Shell :

I don't know the extent of the logging it does however.
Peter AndersenSenior System AnalystAuthor Commented:
Thanks for your help I believe I have all the info I need now.

It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today

From novice to tech pro — start learning today.