I recently ran into an internal virus outbreak at my place of work. We were receiving a lot of virus/worm messages during the outbreak many, many, times the normal message volume, lucky enough all the virus messages had a subject line of “Here you have”.  As soon as we realized what was going on a transport rule was put into place to block the messages on the Hub Transport servers. After several days we were still seeing infected end point on our network sending these messages. We needed a way to identify the infected users, here comes the simple PowerShell one-liner for the day:

Get-TransportServer | % { get-messagetrackinglog -Server "$_" -EventID "FAIL" -MessageSubject "Here you have" -Start "9/12/2010 12:00:01 AM" -ResultSize Unlimited } | Select Sender, Timestamp, MessageSubject | Export-Csv C:\09122010-current.csv

It gets all the Hub Transport Servers then on each HT servers gets the message tracking logs for any messages with match the EventID FAIL. This EvenID is used when a messages matches a transport rule and is dropped. Since we only need the senders Select is used to limit the output to only the senders SMTP address, time and messages subject then send it all to a CSV file.  This CSV file can be opened in Excel and you can see how many messages have been dropped and who your top senders are. Once you have that it’s time to go look at their workstations, scan and clean or reimage.