locked
How many Recipients, Power shell RRS feed

  • Question

  • Is there a powershell script that will give me the number of recipients a user has sent to in an email.

    We are trying to track down spammers/compromised mailboxes, since the spammer's we have encounter only send out a few emails but have alot of recipients in them.

    v/r

    tiny

    Friday, January 10, 2014 5:54 PM

Answers

  • You can get this info from the message tracking logs - you can search on the email address of the sender, then take the Recipients field and determine how many are on each message received.  Something like the following for a one-week period (and you will need to work with this code - this is just a guess):

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    get-messagetrackinglog -Sender "dave@company.com" -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | % {
        $i++
        $Recips += $_.Recipients
    }
    "This sender sent $i messages to $Recips recipients from $OneWeekAgo until $Now"

    Friday, January 10, 2014 6:49 PM
  • Tiny,

    There is a string value that the script is trying to convert to an integer.  You will need to run the script in the ISE to debug it and find the issue.  I also suspect you will need a good book on using PowerShell.  Here's my best guess on how this issue might be solved:

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    Get-Mailbox -ResultSize Unlimited | Sort Name | % {
        $Sender = $_
        get-messagetrackinglog -Sender $Sender.PrimarySmtpAddress -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | Sort EventID | % {
            $i++
            $RecipAry = [array]($_.Recipients)
            $Recips += $RecipAry.Count
         }
        "$($Sender.DisplayName) sent $i messages to $Recips recipients from $OneWeekAgo until $Now"
    }

    • Marked as answer by Tinyski Monday, January 27, 2014 5:57 PM
    Monday, January 13, 2014 6:43 PM

All replies

  • You can get this info from the message tracking logs - you can search on the email address of the sender, then take the Recipients field and determine how many are on each message received.  Something like the following for a one-week period (and you will need to work with this code - this is just a guess):

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    get-messagetrackinglog -Sender "dave@company.com" -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | % {
        $i++
        $Recips += $_.Recipients
    }
    "This sender sent $i messages to $Recips recipients from $OneWeekAgo until $Now"

    Friday, January 10, 2014 6:49 PM
  • Willard,

       So cool, thanks for the reply, in your script it assumes I know the user, what im trying to find is users who are spammers in our org. We have a lot of professers who leave for the holidays and dont logon to thier mailboxes. But have been a victim of some phising email. So how would i identify those, Im thinking with the get-mailbox cmdlet but where would i put it.

    tiny

    Friday, January 10, 2014 6:55 PM
  • Are these internal senders?  The Get-Mailbox command will only return a list of mailboxes, not the items that are IN the mailboxes represented by that list.  But you can modify the above to run through all of your internal mailboxes to get the following:

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    Get-Mailbox -ResultSize Unlimited | % {
        $Sender = $_
        get-messagetrackinglog -Sender $Sender.PrimarySmtpAddress -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | % {
            $i++
            $Recips += $_.Recipients
        }
        "$($Sender.DisplayName) sent $i messages to $Recips recipients from $OneWeekAgo until $Now"

    }

    If you are checking on external senders, that's going to be a ton more difficult ...

    Friday, January 10, 2014 7:33 PM
  • Willard, thanks for the quick reply, no these will all be mailboxes internally.
    Friday, January 10, 2014 8:36 PM
  • Tried running the script and like this .\findspammer.ps1 >findspammer.txt and get this error, the report is showing zero email for everyone.

    Pipeline not executed because a pipeline is already executing. Pipelines cannot be executed concurrently.
        + CategoryInfo          : OperationStopped: (Microsoft.Power...tHelperRunspace:ExecutionCmdletHelperRunspace) [],
       PSInvalidOperationException
        + FullyQualifiedErrorId : RemotePipelineExecutionFailed

    Friday, January 10, 2014 9:19 PM
  • Try this instead:

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    ForEach ($mbx in (Get-Mailbox -ResultSize Unlimited)) {
      $Sender = $mbx
      get-messagetrackinglog -Sender $Sender.PrimarySmtpAddress -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | % {
        $i++
        $Recips += $_.Recipients
      }
      "$($Sender.DisplayName) sent $i messages to $Recips recipients from $OneWeekAgo until $Now"
    }
    It eliminates one pipeline.


    --- Rich Matheisen MCSE&I, Exchange MVP


    Saturday, January 11, 2014 6:52 PM
  • You can also add a Sort after any pipeline to clear this error.  So my above script becomes:

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    Get-Mailbox -ResultSize Unlimited | Sort Name | % {
        $Sender = $_
        get-messagetrackinglog -Sender $Sender.PrimarySmtpAddress -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | Sort EventID | % {
            $i++
            $Recips += $_.Recipients
        }
        "$($Sender.DisplayName) sent $i messages to $Recips recipients from $OneWeekAgo until $Now"
    }

    Monday, January 13, 2014 1:30 PM
  • Rich, thanks...

    I get this error...

    Unexpected token '{' in expression or statement.
    At C:\users\x3serv\Desktop\Powershellcommands\findspamme2r.ps1:5 char:55
    + ForEach ($mbx in (Get-Mailbox -ResultSize Unlimited) { <<<<
        + CategoryInfo          : ParserError: ({:String) [], ParseException
        + FullyQualifiedErrorId : UnexpectedToken

    Monday, January 13, 2014 6:05 PM
  • Willard, thanks again.

    I get this error and dont know if it connected but no reciepients:

    "Zod Schultz sent 1 messages to 0 recipients from 01/12/2014 10:16:08 until 01/13/2014 10:16:08
    Zoe Jarocki sent 1 messages to 0 recipients from 01/12/2014 10:16:08 until 01/13/2014 10:16:08
    Zulema Diaz sent 1 messages to 0 recipients from 01/12/2014 10:16:08 until 01/13/2014 10:16:08"

    Cannot convert the "System.String[]" value of type "System.String[]" to type "System.Int32".
    At C:\users\x3serv\Desktop\Powershellcommands\findspammer.ps1:9 char:19
    +         $Recips += <<<<  $_.Recipients
        + CategoryInfo          : NotSpecified: (:) [], RuntimeException
        + FullyQualifiedErrorId : RuntimeException

    Monday, January 13, 2014 6:30 PM
  • Tiny,

    There is a string value that the script is trying to convert to an integer.  You will need to run the script in the ISE to debug it and find the issue.  I also suspect you will need a good book on using PowerShell.  Here's my best guess on how this issue might be solved:

    $Now = Get-Date
    $OneWeekAgo = $Now.AddDays(-7)
    $i = 0
    $Recips = 0
    Get-Mailbox -ResultSize Unlimited | Sort Name | % {
        $Sender = $_
        get-messagetrackinglog -Sender $Sender.PrimarySmtpAddress -EventID "RECEIVE" -Start $OneWeekAgo -End $Now | Sort EventID | % {
            $i++
            $RecipAry = [array]($_.Recipients)
            $Recips += $RecipAry.Count
         }
        "$($Sender.DisplayName) sent $i messages to $Recips recipients from $OneWeekAgo until $Now"
    }

    • Marked as answer by Tinyski Monday, January 27, 2014 5:57 PM
    Monday, January 13, 2014 6:43 PM
  •  Whats ISE??
    Monday, January 13, 2014 6:45 PM
  • The PowerShell integrated scripting environment.  Considering your current level of expertise, I suggest trying the script I sent first.  Then, if it still fails, get a good book on PowerShell and see if you can figure out where you are having the issues.
    Monday, January 13, 2014 6:50 PM
  • I'll add that if you have more than one hub transport server in your environment, this script will need additional modifications.
    Monday, January 13, 2014 6:53 PM