Topic Last Modified: 2009-03-19

This topic describes how to use the Exchange Management Shell in Microsoft Exchange Server 2007 to export e-mail messages from a message queue.

You may experience a situation in which an Exchange server that is configured as an open relay has been used to send unsolicited commercial e-mail (UCE), also known as spam, to the Internet. In this scenario, you may have to deal with the following issues:

This topic is intended to help address these issues.

Before You Begin

To perform the following procedures, the account you use must be delegated the following:

  • Exchange Server Administrator role and local Administrators group for the server

Additionally, there are certain things to consider when you perform the procedures that are described in this document.

  • You can export messages from the Exchange queues for later playback into Exchange. However, you cannot export messages from the Submission queue. To work around this issue, you can pause the Microsoft Exchange Transport service. This action allows the Submission queue to empty. However, depending on how many messages are queued, emptying the Submission queue could take a long time.

  • The procedure to extract legitimate e-mail messages from the message queue assumes that most of the spam messages are not addressed to recipients in your organization or are not from recipients in your organization. Therefore, the filters that are used to extract the messages are based on the domain or domains that your organization hosts. If spam messages are directed to or from your domains, you will export some spam messages together with legitimate e-mail messages.

Procedures

To export e-mail messages from the Exchange 2007 queues, follow these general steps. (Each of these general steps is described in more detail later in this topic.)

  1. Pause the Microsoft Exchange Transport service.

  2. Suspend, and then export legitimate e-mail messages. To do this, use the following command:

    Copy Code
    Get-Message <filter> | Suspend-Message | Export-Message -path <path>
    
  3. Stop the Microsoft Exchange Transport service.

  4. Rename the Queue folder.

  5. Start the Microsoft Exchange Transport service.

  6. Copy the exported messages into the Replay folder.

To pause the Microsoft Exchange Transport service
  1. Click Start, click Run, type services.msc, and then click OK.

  2. In the Services MMC snap-in, click Microsoft Exchange Transport, and then click Pause.

  3. Start the Exchange Management Console, and then click Toolbox.

  4. Under Mail Flow Tools, double-click Queue Viewer.

  5. Click the Queues tab, and then note the value that appears in the Message Count column for the Submission queue.

  6. Allow sufficient time for the message count to reach zero (0).

To suspend and then export legitimate e-mail messages
  1. Use Windows Explorer to create a destination folder for the exported e-mail messages. This folder must be created before you can export the messages successfully. The folder may be on a local hard disk drive or on a shared network drive.

  2. Start the Exchange Management Shell.

  3. At the shell prompt, export messages that have your domain specified in the From field. To do this, run the following command:

    Copy Code
    Get-Message | where{$_.FromAddress -like "*@contoso.com"} | Suspend-Message | Export-Message -path <path>
    

    In this command, replace contoso.com with the appropriate domain and replace <path> with the path to which you want to export the messages, such as c:\export.

  4. At the shell prompt, export messages that have your domain specified in the To field. To do this, run the following command:

    Copy Code
    Get-Message -IncludeRecipientInfo | where{$_.Recipients -like "*@contoso.com"} | Suspend-Message | Export-Message -path <path>
    
  5. Follow steps 2 through 3 for each domain for which your organization handles e-mail.

To stop the Microsoft Exchange Transport service
  1. Click Start, click Run, type services.msc, and then click OK.

  2. In the Services MMC snap-in, click Microsoft Exchange Transport, and then click Stop.

To rename the Queue folder
  1. Start Windows Explorer, and then locate the Queue folder. By default, this folder has the following path:

    C:\Program Files\Microsoft\Exchange Server\TransportRoles\data\Queue

  2. Right-click Queue, and then click Rename. Use a descriptive name, such as spam-Queue, to rename the folder.

  3. Start the Microsoft Exchange Transport service. The Microsoft Exchange Transport service automatically creates a new Queue folder together with the following files:

    • mail.que

    • tmp.edb

    • trn.chk

    • trn

    • trnres00001.jrs

    • trnres00002.jrs

    • trntmp

    Mail flow should now be successfully restored in the organization.

To replay the exported messages
  1. Use Windows Explorer to locate the Replay folder. By default, this folder has the following path:

    C:\Program Files\Microsoft\Exchange Server\TransportRoles\Replay

  2. Copy the messages that you exported earlier to the Replay folder.

For More Information

By default, Exchange 2007 processes messages in the Replay folder at a rate of approximately 100 messages per minute. For more information about how to change the message processing rate and for more information about how to configure the Replay folder, see How to Configure the Replay Directory.

For more information about how to export and resubmit messages to Exchange, see How to Export and Resubmit Messages.

For more information, see the following topics: