An administrator recently asked for help:
We’ve been hit with a miserable phishing attack that has just pounded our mail stores (Exchange 2003) with emails that we would like to remove from everyone’s mailboxes. Do you know of a way of removing all messages with a specific subject line from our Exchange server?
Yes, this is possible. How it's done is different in each version of Exchange:
Exchange 2007 or 2010: Export-Mailbox cmdlet
Exchange 2010: Use the GUI to export from the Exchange Management console
Exchange 2003 or 2007: Exmerge
Additionally, most antivirus and content control software can remove messages from mailboxes.
While you can export to a folder in another mailbox, if you want to export to a pst, you need to install Outlook 2010 64-bit on the Exchange 2010 mailbox server where you are performing the import. For Exchange 2007, you can install the Exchange Management Tools on a 32-bit workstation where Outlook is installed.
With Exchange 2010 you'll need explicit permission for the “Mailbox Import Export” management role. You can set it using this cmdlet:
New-ManagementRoleAssignment –Role "Mailbox Import Export" –User administrator
You'll use the following cmdlet in either Exchange 2007 or 2010 to find and delete items from a mailbox in a specific database. In this example, we are exporting the items to the Phishing folder in the Spam mailbox and deleting them from the source mailbox. The mailbox you export to needs to exist, but the folder will be created if it does not exist. After the cmdlet has finished, you can delete the folder from the mailbox (or delete the pst, if you exported to a pst.)
Get-Mailbox -Database database_name | Export-Mailbox -TargetMailbox Spam -TargetFolder Phishing -SubjectKeywords "phishing subject" -DeleteContent
If you prefer to use Exchange 2010's GUI, open the Exchange Management Console to the mailboxes. Select the mailboxes you want to export from then right click and choose Export Mailbox. Select the target mailbox and enter a name for the target folder then complete the wizard.
When you run ExMerge, you'll choose the two-step procedure. When you get to the Options, go to Import Procedure tab and select the option to archive data – this will delete the message from the users mailbox. Then use the Date and Message Details tab to set a date range and enter the subject. When you run ExMerge it will remove all of the messages meeting the conditions you set for the date and message details.