Emergency message purge and transport rule processing in Office 365 dedicated

Article translations Article translations
Article ID: 2736413 - View products that this article applies to.
Expand all | Collapse all

On This Page

Symptoms

In Microsoft Office 365 dedicated, a user may experience one of the following issues:
  • Many problems with mail queuing or performance 
  • An email message that includes incorrect or sensitive content was sent to multiple mailboxes

Cause

The first issue may occur if many email messages or very large email messages are sent to multiple users. This may be related to a denial of service attack.

Resolution

To resolve these issues, Microsoft can take the following two kinds of actions:
  • Emergency transport rule
    • Removes instances of an email message from transport queues. 
    • Keeps new instances of an email message from being delivered to users.
  • Emergency message purge
    • Removes instances of an email message from mailboxes.
In some scenarios, it may be appropriate to request both an emergency transport rule and an emergency message purge. The following three examples illustrate some common scenarios.

Scenario 1

A user reports that an email message that includes an attachment was incorrectly sent to a distribution group that has thousands of members. The attachment contains salary information for several hundred users. This issue occurred 30 minutes earlier, and the sender of the email message engaged their service desk to request that the email message be removed from the recipients' mailboxes.

Scenario 1: Resolution

To resolve the issue in scenario 1, contact Microsoft to request an emergency message purge. To do this, please use the Exchange Online topic and the Message Purge sub-topic when you submit a support incident online to Microsoft Online Services Support, or contact Microsoft Online Services Support by telephone. In addition, please provide as much information about the email message as possible. The information should include the sender, the recipients, the subject, the day or time that the email message that was sent, and the fact that the email message contains an attachment.

Scenario 2

Users report that they are receiving many copies of an email message from an external sender. Some users reply all and forward the email message. There are some reports of internal messages taking a long time to be received.

Scenario 2: Resolution

To resolve the issue in scenario 2, contact Microsoft to request an emergency message purge and an emergency transport rule. To do this, please use the Exchange Online topic and the Message Purge sub-topic when you submit a support incident online to Microsoft Online Services Support, or contact Microsoft Online Services Support by telephone. In addition, please provide as much information about the email message as possible. The information should include the sender, the recipients, the subject, the day or time of the email message that was sent, and the evidence that is available to indicate that other email messages are delayed. This lets us determine whether an emergency transport rule is necessary.

Scenario 3

An internal process generated many email messages, and all mail delivery is delayed.

Scenario 3: Resolution

To resolve the issue in scenario 3, contact Microsoft to request an emergency transport rule to delete these email messages. To do this, please use the Exchange Online topic and the Message Purge sub-topic when you submit a support incident online to Microsoft Online Services Support, or contact Microsoft Online Services Support by telephone. In addition, please provide as much information about the email message as possible. The information should include the sender, the recipients, the subject, the day or time of the email message that was sent, and the evidence that is available to indicate that other email messages are delayed.

Emergency transport rule

If it is necessary, an emergency transport rule will be created based on the characteristics that are provided, and corresponding email messages will be deleted.

Emergency message purge

The emergency message purge process removes email messages from a user's mailbox based on specific characteristics. These characteristics can include sender, day or time that the message was sent, subject line, and whether there is an attachment. The emergency message purge searches for email messages that match the criteria and then removes these email messages from the mailbox. The email messages in the Recoverable Items folder of the mailbox are also removed. However, the email message is not removed from the Purges folder. This means that the purged item can be recovered individually by an administrator. However, the purged item is not recoverable from Microsoft Outlook and cannot be recovered in a bulk process.

For more information about deleted item retention and recovery, go to the following Microsoft TechNet website:
Understanding Recoverable Items
An emergency message purge can be completed by O365 Dedicated Support. The process involves multiple steps to make sure that the correct content is removed from users' mailboxes. This process is optimized to make sure that the correct information is removed in as timely a manner as possible. 

Limitations and risks

  • Only messages that exist in the customer's managed email environment can be purged.

    Notes 
    • Email messages that are sent outside the environment cannot be removed by Microsoft in this process. This includes public email services such as Hotmail and other private email servers.
    • If you are using a language that contains double-byte characters (For example, Korean is a language that uses double-byte characters), MOSSUP cannot complete the purge request. However, the customer can perform the message purge by using Windows PowerShell cmdlets in self-service tools.

  • Email messages that are saved to .pst files or to a local drive cannot be purged by Microsoft in this process.
  • Depending on the number of mailboxes that must be searched, the time to complete this request can vary.
  • Email messages are deleted based on their subject, and this process searches for a complete string of words in the Subject line. For example, a purge run against the subject "Welcome to the company" will also delete email messages such as "Welcome to the company Bob" or "I felt welcome to the company." Preparation work has to be done before the actual purge to make sure that the correct email messages and recipients are targeted.
  • Forward and Reply messages in an email thread cannot be specifically targeted. The message purge must be run against the subject that does not have the "FW:" or "RE:" prefixes. if a valid message is to be excluded from the purge, the Sent timestamp must be used to omit the valid message.

    For example, a valid message that has a subject "Company Wide Announcement for January" is sent at 3:00 PM Eastern Standard Time (EST). One recipient replies to all the recipients of this message at 3:15 EST, and creates a message that has a subject "RE: Company Wide Announcement for January". This reply contains sensitive information that should be purged. However, the initial email should not be targeted. To perform this purge, the subject "Company Wide Announcement for January" is used with a Sent time of 3:14 PM EST. All the messages in the thread that are sent after 3:14 PM EST will be purged.
  • Any email message that is deleted from a mailbox that has Single Item Retention (SIR) disabled cannot be recovered by Microsoft. Because there is a risk that messages will be unintentionally deleted from mailboxes that have SIR disabled, Microsoft will enable SIR on any mailboxes that are found. If mailboxes that have SIR disabled are found, the purge process will be delayed for these mailboxes until SIR is enabled. It will take 60 minutes to make sure that these mailboxes are enabled.
  • Requests for deletion of messages from Proofpoint archives will not be processed because the messages cannot be deleted, by design.

The customer should be aware that they have to work closely with O365 Dedicated Support throughout the following process:
  1. An authorized requestor submits a support incident. The support incident provides O365 Dedicated Support with the characteristics that are needed to identify the target email message. These include the sender, the subject line, and the date or time that the email message that was sent. If a customer other than the authorized requestor should work with O365 Dedicated Support, this should be specified in the support incident. If the customer knows from which recipients' mailboxes they want the email message purged, they should include a list of recipients in the support incident.
  2. If the case is a Severity A escalation, the customer must call O365 Dedicated Support after they submit the support incident.
  3. The O365 Dedicated Support agent will work to obtain a complete list of the recipients if the customer did not provide this or if the customer is not sure of who should be included in the list of recipients. The agent will do this by searching the message-tracking logs for the message in question and exporting all recipients. This lets the purge process be run against as few mailboxes as possible. Message tracking expedites the process and avoids unexpected consequences. However, message-tracking logs are maintained for only ten days. If the email message was sent more than ten days earlier, the requestor must provide a list of recipients.

    Note An environment-wide purge can be run against all mailboxes. Depending on the number of mailboxes in the environment and the size of the mailboxes, this process can take up to 48 hours. Such a purge should be done only in situations in which O365 Dedicated Support and the customer requestor agree that this is the method of choice. 
  4. The O365 Dedicated Support agent will engage the authorized requestor (or the customer contact who is specified by the authorized requestor) to confirm the recipient list before they go to the next step.
  5. A pre-purge process is run against the recipient list or all mailboxes. During this process, a search is run against the mailboxes to identify the email message that fits the criteria of the target email message. O365 Dedicated Support will provide the requestor with a spreadsheet that includes a list of the users and the number of messages that were found that meet the criteria of the target email message. There may be a strong business reason to skip this part of the process. If this is the case, skipping the pre-purge search process should be approved by the authorized requestor. Even if the pre-purge search process is skipped, a check should be made to make sure that the SIR feature is enabled for all recipients and all mailboxes. If the SIR feature is not enabled, the support agent will enable the SIR feature. This feature makes sure that messages can be recovered for a specific mailbox from the mailbox Purges folder. 

    For more information about the SIR feature, go to the following Microsoft TechNet website: 
    Understanding Recoverable Items
    It will take an hour to confirm that SIR is set on the mailbox. The process can continue for the mailboxes that are found to have SIR enabled. The purge can then be run against the remaining mailboxes. If there is a strong business reason to continue the purge process on all mailboxes immediately, the customer contact should communicate this to the O365 Dedicated Support agent.

    After the pre-purge process is complete and the customer reviews the spreadsheet, the requestor must provide their approval to O365 Dedicated Support through an email message. Then, the purge will continue.
  6. When O365 Dedicated Support receives the approval, the purge will be run, and a spreadsheet that contains the recipients and the number of email messages that were found will be sent to the customer. 
Note For more information about self-service options to control data spillage, click the following article number to view the article in the Microsoft Knowledge Base:

2811786 How to control data spillage in Office 365 dedicated and ITAR

Properties

Article ID: 2736413 - Last Review: July 29, 2013 - Revision: 9.0
Applies to
  • Microsoft Business Productivity Online Dedicated
  • Microsoft Business Productivity Online Suite Federal
Keywords: 
vkbportal226 KB2736413

Give Feedback

 

Contact us for more help

Contact us for more help
Connect with Answer Desk for expert help.
Get more support from smallbusiness.support.microsoft.com