Killing Spam with Exchange IMF and PowerShell tags: , , , , ,

If you have an Exchange shop, you probably have Exchange Intelligent Message Filter.  The IMF filters out junk mail to a folder (usually Program files\exchsrvr\mailroot\vsi 1\ucearchive) which you must inspect for false positives and empty from time to time.

There are tools to manage the IMF archive;  I use Daryl Maunder’s Exchange IMF Archive Manager and there is also IMFCompanion, but neither of these tools will empty the archive automatically.  Realistically, in a small shop like SATV’s, it’s a burden to manually inspect the archives;  as spam volume gets heavier, inspection is no longer viable.

I just use a simple PowerShell script that counts the items in the IMF archive, notes the count in the Application log and then deletes the items.

Here’s the code.  Most of it is housekeeping to manage the event log:

# Delete-IMFSpam  - Deletes spam mail from Exchange IMF Folder
# Deletes spam mail from Exchange IMF folder and enters an event in the 
# Application log reporting number of spam mails found and deleted
# David Moisan 9/22/2006
# v1.0

$sSource = "Delete-IMFSpam"
$sLog = "Application"
$sMachine = [System.Environment]::MachineName

$sEventIDSpam = 1
$sEventIDNoSpam = 2

$sEventLogInformational = [System.Diagnostics.EventLogEntryType]::Information
$sEventLogWarning = [System.Diagnostics.EventLogEntryType]::Warning
$sEventLogError = [System.Diagnostics.EventLogEntryType]::Error

$sUCEArchive = "$env:programfiles\exchsrvr\mailroot\vsi 1\UCEArchive"

# Create source in eventlog if it isn't already there

if (-not [System.Diagnostics.Eventlog]::SourceExists($sSource,$sMachine)) {
   [System.Diagnostics.Eventlog]::CreateEventSource($sSource, $sLog, $sMachine)

# Create new eventlog object to make entries

$eLog = new-object System.Diagnostics.EventLog($sLog,$sMachine,$sSource)

# Get count of spam items

$SpamCount = (get-childitem $sUCEArchive\*.eml | measure-object).Count

# Display count to the log and the console
# Delete spam if directory not empty

if ($SpamCount -gt 0) {
   remove-item "$sUCEArchive\*.eml"
   $eLog.WriteEntry("UCEArchive: $Spamcount item(s) found and deleted", $sEventLogInformational, $sEventIDSpam)

    $elog.WriteEntry("UCEArchive:  No spam items found", $sEventLogInformational, $sEventIDNoSpam)

# Done


Run the script:

powershell delete-IMFSpam.ps1

And here’s the event log:

MachineName : [...]
EventID     : 1
TimeWritten : 9/30/2006 1:00:48 AM
EntryType   : Information
Source      : Delete-IMFSpam
Message     : UCEArchive: 674 item(s) found and deleted

This was just in 3 (!!) days since the folder was last emptied.

Take care,



Leave a Reply

Fill in your details below or click an icon to log in: Logo

You are commenting using your account. Log Out /  Change )

Google+ photo

You are commenting using your Google+ account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )


Connecting to %s