Recover from an Email Storm in Exchange Server

An important part of working with Exchange server is being prepared for and dealing with an email storm.  The term email storm has been associated with reply all behavior and NDR message loops.  An email storm can also be the result of a virus or worm infection causing a large number of messages to be sent within your Exchange organization.

Identify an Email Storm

Identification of the occurrence of an email storm can be done using the Exchange Management Shell and simply issuing the following command:

[powershell gutter=”false”]

Get-TransportServer | Get-Queue

[/powershell]

In my experience the mail queues during normal operations are two or less and commonly zero across the board.  The use of SCOM or some other monitoring solution can be used to monitor the queues and notify when mail queues are beyond normal thresholds.

Additionally, the Exchange Transport – Messages Submitted Per Second performance counter can be used to establish a baseline of messages sent per second.

Identify Messages Causing an Email Storm

In order to identify a situation that is causing an email storm, a unique attribute about the messages must be determined.  A common message attribute to use is the message subject.  Use the Exchange Management Shell and issue the following command against a queue with a large number of messages and observe the message subject.

[powershell gutter=”false”]

Get-Queue -Identity <Queue Identity> | Get-Message

[/powershell]

Clean up and Removal

In order to clean up and remove messages that are a part of an email storm there are several actions, that when combined, provide an effective method to reduce the messages in the email storm.

  • Removing messages from the Exchange Transport queues.
  • Blocking the propagation of the email storm using Exchange transport rules.
  • Programmatically removing the message from Exchange mailboxes.
  • In the case of virus or worm infection of a mailbox user, setting the prohibit send limit to zero.

Remove messages in the Exchange Transport queue is a two-step process.  First the messages that are part of the email storm should be suspended.  Use Exchange Management Shell with a unique attribute contained in the message.  The following command will suspend all messages with the subject of “Me Too”.

[powershell gutter=”false”]

Get-TransportServer | Get-Queue | Get-Message -ResultSize unlimited | Where {$_.Subject -eq "Friday Party"} | Remove-Message -WithNDR $False

[/powershell]

Creating an Exchange Transport Rule to delete messages effectively prevents future expansion of the email storm.  Use the Exchange Management Shell to create a new transport rule that deletes messages without notification to anyone and with the unique subject. (Note: Rules can also be created in the EMC)

[powershell gutter=”false”]

New-TransportRule -Name "Email Storm" -Enabled $true -SubjectContainsWords ‘Me Too’ –DeleteMessage $True

[/powershell]

In the event of an email storm it is likely that there will be a significant number of undesirable messages delivered to user mailboxes.  To assist the user community and programmatically remove these messages from recipients mailboxes use the script below.  It is recommended that message removal be done in batches.

Full mailbox permissions must be assigned as part of the process and the Export-Mailbox cmdlet removes the messages.  The final command removes the full mailbox permissions assigned.

[powershell]

Get-Mailbox -server <ServerName> -ResultSize unlimited | Add-MailboxPermission -User <Admin> -AccessRights FullAccess -InheritanceType all

Search-Mailbox -identity <Mailbox> -SearchQuery ‘Subject:"Me Too"’ -DeleteContent

Get-Mailbox -server <ServerName> -ResultSize unlimited | Remove-MailboxPermission -User <Admin> -AccessRights FullAccess -InheritanceType all

[/powershell]

Leave a Reply