Saturday, July 16, 2016

How to Suspend a Queue to manage the spam in Exchange server 2013

Managing Spams in exchange server

Exchange server 2013 is receiving an unusual amount of spam in the client's mailboxes, what can be done?

1. Stop the Queue during the night: "mail\Submission"

Open a Powershell for exchange:

 

The one in the right and run

 

Suspend-Queue -Identity mail\Submission -confirm:$false
This will stop the email submission queue without asking confirmation (-confirm:$false)

 

2. Detect the subjects more commonly used by spammers

 

In my case were "FW:","scanned","attached","RE:"

 

So I suspend all those messages by running:
Get-queue  -Identity mail\submission | Get-Message |  Where-Object{ $_.subject -match "RE:" -or $_.subject -Match "FW:" -or $_.subject -match "scanned" -or $_.subject -match "attached" } | Suspend-Message 

 

By doing this, you will have all the suspicious messages will have the "suspend" state.

 

3. Create Rule and populate it with a list of Domains to be blocked

 

Create a manual rule in ECP

Mail flow/rules/+/Create New Rule
More Options
In the name Field : "Blocked Domains" and
add a condition with a dummy domain: domain.com then click "+" and then "ok"
Finally: save

4. Populate the rule

Now by running:
$exported=@()
Get-queue  -Identity mail\submission | Get-Message |  Where-Object{ $_.subject -match "RE:" -or $_.subject -Match "FW:" -or $_.subject -match "scanned" -or $_.subject -match "attached" }   | foreach{ $temp = New-Object PSObject -property @{ FromAddress = ($_.FromAddress -split "@")[1]};  $exported+=$temp} | Select FromAddress

$domains=Get-TransportRule "Blocked Domains" | select -ExpandProperty SenderDomainIs
foreach ($item in $exported.fromaddress)
{
 $domains += $item.domain
 $domains2add = $domains | select -Unique
}
Set-TransportRule "Blocked Domains" -SenderDomainIs $domains2add
You will get the rule populated.

5. Remove the messages and Resume the queue

get-queue -identity mail\submission | Get-Message | Where-Object{ $_.status -eq "Suspended"} | Remove-Message -confirm:$false
Resume-Queue -Identity mail\Submission

MSCE José Ortega

Please consider to donate and thank you very much for reading this.

No comments:

Post a Comment