Removing Unwanted SMTP Records From Exchange Hybrid

I’m still new to Exchange Online and Office 365 mailbox management, but got stuck on this scenario for a bit.

After testing an E-mail Address Policy, I wanted to remove what the policy had done. I’d already discovered that taking an address off a policy itself doesn’t remove it from the accounts, and run this simple script to remove the unwanted SMTP record off each account. However, accounts that had been migrated to Office 365 didn’t change and still had the unwanted SMTP record.

I checked on Exchange Online itself, and the address I’d added hadn’t flowed through. I believe this was because it was using a domain that Office 365 didn’t know about – but that also meant that I had no records to change at that end. I could however go into the mailbox itself via the Exchange console and remove the unwanted record.

It turns out, that I had to use the ‘Get-RemoteMailbox’ and ‘Set-RemoteMailbox’ command in place of the ‘Get-Mailbox’ command. Although I was working with Exchange PowerShell on-premises, the mailbox type is “RemoteUserMailbox’. ‘Get-Mailbox’ against any migrated item will not find those objects that live in the cloud.


If you want to see which Exchange objects have a particular SMTP record in Exchange 2010, regardless of what mailbox type they are or where it lives, there’s an easy way.

Make sure the ‘Recipient Configuration’ tree option in the Exchange Console is selected, and filter with E-Mail Addresses > Contains > your unwanted SMTP record:

This will make sure all object types (including groups, contacts etc) don’t have the unwanted SMTP record.

Stellar Exchange Tookit Review

Stellar Data Recovery reached out to me to see if I was interested in reviewing their product. I only accept these when I can see a personal interest in what the product does. The 5 key things this product does are:

1. Repair corrupt EDB files
2. Mailbox Extractor for Exchange Server
3. OST – PST conversion
4. Mailbox Extractor for Exchange Backup
5. Password Recovery for MS Exchange

Primarily I was interested in OST to PST conversion, as I’ve tried to do this before and had no luck with free solutions, and wanted to try a paid product that could solve the problem. (It’s also worth noting this isn’t cheap software. Also if you only want a more basic OST to PST converter, they sell that by itself for a lot less.)

I tested the Exchange Toolkit on an Outlook 2016 OST file I’d copied off another computer, that was 2GB in size. It does take a little while to process, but displays the results in a nice Outlookesque GUI:

There’s also a search function, which is handy if you’re just after a particular email from the OST.

If you need to export the results, there’s a bunch of useful options:

I was impressed with the options to export directly to Exchange Server and Office 365! But for me, I was happy with a PST. The resulting PST file was readable via Outlook 2016, so the product does exactly what it says on the virtual box.

Another part of the toolkit I looked at, was the Mailbox Extractor. Again, there’s several options, but I tried connecting to a live Exchange 2010 server to extract emails:

After connecting, again I was presented with an Outlook style of emails. I then realised there’s a few use cases for this tool that are handy to me personally; if I need to go into a mailbox to get something out, this is much easier than adding a second mailbox or profile. It also then lets me take out those emails in a variety of ways – for example, I can select a folder and then export all contents of that folder into several formats, such as PST, MSG, PDF, HTML and RTF. For HTML and PDF, it will create a file per email with the same subject name.

I can see the other functions of this product being useful for someone who’s often dealing with other companies’ data, old data that needs to be restored, or extracting out a mailbox from an online Exchange server. It’s an interesting array of tools, and I’ll try to report back on whether this tool does the job well or not.

Worth checking out these tools if you run into a scenario where you need them – sometimes there’s a freeware or open source solution, but often they don’t work, are old, unreliable or limited in functionality. Stellar Exchange Toolkit seems to do what it claims well, and I look forward to trying more features in the future.

Your Personal Information Has Been Leaked

Opinion: The below is all my personal opinion, and although any company examples I give are true, this cannot be taken as 100% guaranteed evidence of a data leak.

Yep, you read the heading correct. If you’ve been online and signed up to even a handful of services, chances are some of your data has been stolen.

Troy Hunt’s website hosts some details on many millions of records that have been leaked one way or another from companies such as Adobe, Sony and Yahoo. Those are just known leaks though, where the data has been made publically available one way or another, and is only a snippet of what’s really out there.

How do I know this with such conviction? I’ve signed up to a LOT of things over the years, and using my methodology, each signup has a unique email address.

That unique email address per service gives me a pretty quick insight into who’s somehow lost my data. On a daily basis, I can have a look around my Google Apps spam folder, and see what email addresses were used to send spam to.

Often I’ll see the same email 15-20 times, sent to different email addresses on my domain. That’s pretty clear these spammers are finding multiple chunks of breached data, because my different email addresses aren’t going to be registered to a single site.

Today’s spam had the local part of the email address (the bit before the @) in the subject too, so here you can see what these emails were sent to:


I tend to see a mix of gibberish (such as asYOyuPq) and leaked emails. In this example chunk of spam, there’s Adobe – which I know was leaked as confirmed on haveibeenpwned, but there’s also plenty of other worrying ones. Penguin is from Penguin Books Australia, Dropbox is obvious, Coles, Dell, and others.

Looking down my list in the last few days, I can see others like fringebenefits – an Adelaide Fringe run discount tickets I signed up to a couple of years ago. Viator, a service I booked a tourist attraction on when visiting the US a few years ago.

Then there’s ebay – that one I don’t know so well, because email addresses get passed around when you buy and sell things through a platform. Maybe I contacted a seller and they had my email address because of that, and was lost from there.  Acertabletforum from a few years ago when I downloaded custom ROMS for an Acer Android tablet. Umart, from when I bought some PC components a few years ago too. 

At this stage, you might be wondering how I know the problem isn’t me. As I said, I’ve signed up for probably thousands of services over the years, and continually only see a subset of addresses that get spam. If I was leaking the data somehow, I should see a big mix of everything I’ve used, or at least everything up to a certain point in time. This is definitely not the case.

On top of all these email addresses, I have no idea what other data was leaked with them. My name, date of birth, first pet’s name, my home address? I can’t remember which services required which pieces of info, nor will most of these data leaks ever be publicly known – so I have no idea.

I don’t know what the answer is to all of this. I called out one company recently asking if they had a data breach, as I started to get spam on the email address I’d signed up to their online store with, which resulted in them calling my personal mobile phone, finding me on Facebook, naming my wife and son to me and threatening to send friends around to my place of residence, which he had obtained from my domain registrar details. This happened 2 years after I explicitly requested the company delete all my details, which I happened to blog about here.

It’s a pretty sorry state of affairs, and I don’t see anything getting better soon. If you want real privacy, use a fake name, a PO box, a pre-paid mobile phone and so on – because as soon as you hand your details out to someone, the world’s going to know about it.

Thanks to Troy Hunt for giving me the idea to write this up.

More LinkedIn Security Risks with LinkedIn Intro

LinkedIn have just announced a new way they’ve engineered LinkedIn user information into the native iOS mail reader. Have a look at the article here:!

In principal, this is an interesting idea – it’s what CMS (Customer Management Systems) have been doing for a long time, which is integrating a database of users/companies into your emails so at a glance you go from email address to user profile to company all in the one spot.

From a user perspective, this is quite neat. Seeing where someone works as part of the email, their job title, other connections saves a lot of time and brain energy when they’re thinking ‘who is this guy?’ – but from a security standpoint this is bad.

LinkedIn’s whole quote on the privacy aspect of this is:

Security and Privacy

We understand that operating an email proxy server carries great responsibility. We respect the fact that your email may contain very personal or sensitive information, and we will do everything we can to make sure that it is safe. Our principles and key security measures are detailed in our pledge of privacy.

That doesn’t say much, apart from ‘Come on.. trust me!’. Firstly, you’ve got to give LinkedIn your email password. Check my previous article as to why this is bad: – a pledge of privacy isn’t going to help you after a catastrophic event.

So, this method is actually worse again. All your emails traverse via LinkedIn’s proxy service, the email gets modified then delivered to your iOS device. Emails are insecure by nature as they traverse the internet in plain text format (excluding things like PGP and other encryption methods that most people/companies don’t use), but having them centrally filtered via a 3rd party means you’re giving them a truckload of information about yourself, who you deal with, your email habits and so on.

Would your company be happy with a 3rd party that you have no agreement with, receiving and forwarding on all your emails? Even if the emails aren’t stored, if LinkedIn was breached again (which they have been before, multiple times), other people could obtain anything from your contacts, to your password and email contents.

oAuth is supported too, which is a safer approach as it can be revoked – but you’re still giving the same level of access while the connection is approved.

Luckily for Exchange administrators, that doesn’t seem to be supported yet according to but for Google Apps people, you’ll need to look into how this can be blocked if you want to. If you’ve found out how, I’d be happy to add it to this post.

Update: There is a great writeup from Bishop Fox on several great reasons as to why this is a ‘bad idea’

An Email Conversation Regarding Domain Names and Aliases


Just sharing some correspondence I had with a company that I signed up with to purchase some goods online. Details have been changed for privacy and a few extra lines in the emails deleted that were irrelevant.

From: Mr Website Owner <>

Hello Mr Adam Fowler,

Recently you registered on our site using the email address of

We are not sure why you have chosen our registered business name and web address as an email address.
We would hope that this is not for any misrepresentation. Therefore we request that you cancel this name registration immediately.

We would not like to have to report this to the authorities, ASIC or Planet Domain for a breach of any company laws or internet protocol related issues.

Thanking you in advance for your assistance.

Kind Regards,

Mr Website Owner

From: Adam Fowler <>

Hi Mr Website Owner,

I’d recommend you have a chat with someone that knows I.T. to back up what I’m about to tell you, but this isn’t a name registration.
I own the domain and can have any email address, just like you can have anything
That’s also why I’m replying from
When I sign up for any service, I use a specialised email address solely for use with that business. Nobody sees this but you.
You can make up any word or phrase before and the email will get to me.
I also do not own any business, and do not have an ABN.

Threatening me with incorrect information, and being reported to the authorities isn’t the best way to deal with someone who’s planning to order XXXX from you.


From: Mr Website Owner <>

CC: Mr Website’s Lawyer

Thank you for your speedy reply.

It is unfortunate that your reply seems to contain a little more aggression that my email intended but that is the down side with the written word. Doesn’t contain emotion.

As you would be aware in owning a domain, which is just like any business, you need to protect it.

In today’s day and age, with Spammers, Hackers etc. doing enormous amounts of damage to all businesses, everyone needs to be vigilant.

We have competitors daily copying our business names (yes we have a few) registering and using names so close it’s confusing to our existing customers. Even down to having their office staff say they have the same name as our staff.

I accept your assurance that we are the only ones who will see this address, but I’m sure you would agree that it can be concerning to see initially.

I can assure you when I make a statement I have no intention of giving incorrect information.

When it comes to Misrepresentation I meant:

An assertion or manifestation by words or conduct that is not in accord with the facts.
Misrepresentation is a tort, or a civil wrong.

Many small businesses will have as the email address for their business name of ‘My Big Pies’ because they don’t own a domain or have a web site. It’s any easy way to have a personalised email. Some of my friends have their business emails setup this way.

Just because you own a domain or even a printing press for that matter, doesn’t allow you to print a business card containing an email address of say and be running an Electronics Service Business. The effect is confusion from Apple product owners who may think you work for or are an Authorised agent for Apple when this is not the case. I’m not here to lecture. I am asking in this case for some professional courtesy and refrain from using our business name just like any other business would.

If you are not happy with my explanation or request, please feel free to contact our Solicitor (I’m sure he is better with his words than I am):

<Lawyers Details Here>

If you choose not to purchase from us that is purely up to you. We can’t force you.  We do try to please every customer in the same way we fight to protect our business…with a passion.

Thanks again for your understanding and reply.

All the best,

Kind Regards,

Mr Website Owner

From: Adam Fowler <>

CC: Mr Website’s Lawyer

Hi Mr Website Owner,
The reason for shortness on my last email is that I don’t like to be threatened, regardless if there is any emotion behind it.
To keep things short, are you confirming that you accept my explanation and that no action is required from myself? I have no interest in using your name for anything apart from an account I signed up to your website with, which now I would request that it be terminated and removed from any databases and mailouts.


Mr Website Owner <>

CC: Mr Website’s Lawyer

Thank you Adam,

Yes I accepted your explanation behind the creation of the email address. You must have quite a few if you deal with many businesses.

I will of course remove your account if you no longer require it.

Please accept my apology if I have caused any upset. It was not my intention. I am just very protective of my business as I’m sure you are with your domain.

Also I hope we haven’t sent you any unsolicited marketing emails in the past. We definitely don’t operate that way.

Consider it all closed.

Thanks again,

Kind Regards,

Mr Website Owner

From: Adam Fowler <>


Thank you Mr Website Owner, I’ll consider the issue closed from my end too.

Anywhere I need to sign up for any service gets it’s own email address, you’d be suprised how many online companies seem to get hacked and their customer list starts to get spammed. There’s actually quite a few people who do the same, so you may see others sign up similar to how I did.

Not a problem either, I understand where you were coming from on it, which is why I took the time to explain.

Good luck with your ventures.


That’s where it ended, apart from a week later I received a gift from the website owner of some of the products I was considering purchasing! Well done to him for turning the situation around in the end.