Finding a list of users who have been Spammed?

Exchange 2010
Deleting an Unwanted email and finding information afterwards.

We had a user compromised and the Account got set up to Spam a whole bunch of places. I did a search of the email server with.....Get-mailbox | search-mailbox -searchquery "name of subject" -Logonly -Targetmailbox domain\username -Targetfolder Inbox.

The screen scrolls by with the number of emails containing the "name of subject" in users accounts that had it. Then it sends an email with the Total amount to the Targetmailbox.......this showed up around 40K emails

I then Deleted those emails with:
Get-mailbox | search-mailbox -searchquery "name of subject" -DeleteContent
I typed A for all.

Been doing this for years actually. However today I would like to know "just who had them". Can I find this out after the fact? The screen scrolls by so quickly......
Peter AndersenSenior System AnalystAsked:
Who is Participating?
I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

ITguy565Commented:
I do not believe you can retroactively go back and determine this information after the fact.  post deletion.
0
ITguy565Commented:
Only log I can think of that would hold this information would be the exchange transaction logs and chances are they don't go back that far.
0
Peter AndersenSenior System AnalystAuthor Commented:
The CMD screens are still on the screen where the users scrolled by but of course there are too many for the screen I can still see around 25 but one can't scroll up that high.......to get to the start.
0
Has Powershell sent you back into the Stone Age?

If managing Active Directory using Windows Powershell® is making you feel like you stepped back in time, you are not alone.  For nearly 20 years, AD admins around the world have used one tool for day-to-day AD management: Hyena. Discover why.

ITguy565Commented:
ahhh.. so you are talking about this time.. I thought you were talking about historically..
0
ITguy565Commented:
try this.. create a powershell script file ..

These two Powershell commands can help you capture and save what you have type during your Powershell session: 
Start-Transcript and Stop-Transcript. 
  
Start Powershell 
PS> 
  
At the prompt, type: 
PS> Start-Transcript c:\temp\CaptureDemo.txt 
{this command need a filename to store you sesion data} 
  
Now, type any command: 
PS> Get-Service 
  
And: 
PS> Get-Service | Get-member 
  
Then, stop the transcript: 
PS> Stop-Transcript 
  
To view the result change directory to C:\Temp then use the Powershll command "ii": 
PS> CD C:\Temp 
PS> ii C:\Temp\capturedemo.txt 
  
This command "ii" will open notepad and display the content of the file.

Open in new window



use the start-transcript and stop-transcript command to log the output to a file and the search using a text editor
0
ITguy565Commented:
#File Location used to store output file
Start-Transcript c:\temp\CaptureDemo.txt

#Powershell Command used to find output.. 
Get-mailbox | search-mailbox -searchquery "name of subject" -Logonly -Targetmailbox domain\username -Targetfolder Inbox.

#Stop the recording
Stop-Transcript 

Open in new window

0

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
Peter AndersenSenior System AnalystAuthor Commented:
yeah just happened this morning. In my haste to get them off the System I just ran the command however my Supervisor is asking for a list of who got it.
In hindsight I really should have done a bit more checking but the Subject line was pretty unique.....Monday morning immediately faced with this as I walked in the door. However I just checked on our Backup Server and there were no messages yesterday on hte backup. Veeam Backup Software is AWESOME!
0
ITguy565Commented:
If you still have the information in the command window can you scroll up and see the output? if you can then you can just copy it.. If you can't then I can't think of a way that you can get that information until the next time.. Add the code above into your script and it will copy the output of your delete script and everything that it does for archival purposes.
0
Peter AndersenSenior System AnalystAuthor Commented:
I will use that for the next time for sure however I have the feeling I am screwed this time as I can't scroll up far enough.
0
ITguy565Commented:
This might be the only other option.. If you ran it though Exchange Shell :

https://social.technet.microsoft.com/wiki/contents/articles/14507.how-to-find-the-history-of-exchange-powershell-commands-ran-in-exchange-2013.aspx

I don't know the extent of the logging it does however.
0
Peter AndersenSenior System AnalystAuthor Commented:
Thanks for your help I believe I have all the info I need now.

Peter
0
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Exchange

From novice to tech pro — start learning today.

Question has a verified solution.

Are you are experiencing a similar issue? Get a personalized answer when you ask a related question.

Have a better answer? Share it in a comment.