{"id":297,"date":"2024-07-30T19:09:24","date_gmt":"2024-07-30T19:09:24","guid":{"rendered":"https:\/\/duff.io\/?p=297"},"modified":"2024-07-30T19:09:24","modified_gmt":"2024-07-30T19:09:24","slug":"deleting-accidental-or-dangerous-emails-in-google-workspace","status":"publish","type":"post","link":"https:\/\/duff.io\/?p=297","title":{"rendered":"Deleting accidental or dangerous emails in Google Workspace"},"content":{"rendered":"\n

As Google Workspace admins, sometimes, we are asked to delete emails from other users accounts when the messages are sent in error or contain malware\/phishing\/etc. This is not something we do lightly and should only be done in the most extreme cases. <\/p>\n\n\n\n

If the message went outside your Google Workspace domain, there is almost nothing we can do beyond asking the recipient to delete the message.<\/p>\n\n\n\n

For messages received inside of the Google Workspace, there are two things I’ve done:<\/p>\n\n\n\n

    \n
  1. Change the recipient’s password, delete the message, empty the trash;<\/li>\n\n\n\n
  2. Use the command line tool GAM<\/li>\n<\/ol>\n\n\n\n

    The remainder of this post focuses on the second approach since it is less disruptive to the user(s). However, it is more dangerous since mistakes can delete the wrong message(s). When this document refers to GAM, we are referring to the GAMADV-XTD3<\/a> version.<\/p>\n\n\n\n

    Finding the Message ID<\/h2>\n\n\n\n

    To delete a message using GAM you need to know the Message ID. There are several ways to do this. The easiest is if you have access to an account the message was sent or received from, and then you can use the \u201cShow original\u201d feature of Gmail, find it in the raw headers of an email, or use GAM to search for it.<\/p>\n\n\n\n

    \u201cShow original\u201d feature of Gmail to find a Message ID<\/h3>\n\n\n\n
    \"\"<\/figure>\n\n\n\n

    In Gmail, select \u201cShow original\u201d which will nicely decode the headers of the message and show you the Message ID in the first line:<\/p>\n\n\n\n

    \"\"<\/figure>\n\n\n\n

    Tip: You can ask the sender to do this in their sent message folder and copy\/paste the Message ID in an email to you.<\/p>\n\n\n\n

    Looking at the raw headers \/ original email to find a Message ID<\/h3>\n\n\n\n

    If you have access to the original unparsed email message (either from the sender or a recipient), you can look through the headers at the top of the message for a line that starts with \u201cMessage-ID:\u201d<\/p>\n\n\n\n

    Here is an example of the headers from an email that an email client hasn\u2019t parsed:<\/p>\n\n\n\n

    Message-ID: <0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com><\/code><\/pre>\n\n\n\n
    Using GAM to find a Message ID<\/h3>\n\n\n\n
    GAM has a few ways to search for a Message ID. See the Print Messages Query<\/a> section of the GAM manual.<\/p>\n\n\n\n
    Searching by subject and date range in a single users account<\/h4>\n\n\n\n
    The following commands searches through the account \u201cmyemail\u201d for message with a subject of \u201cAlert for MYNET – wireless\u201d between 1\/24\/24 and 1\/25\/24. Note that you have to escape the quotes around the subject with a backslash and put the date in YYYY-MM-DD format.<\/p>\n\n\n\n
    gam user myemail show messages query \"subject:\\\"Alert for MYNET - wireless\\\" before:2024-01-25 after:2024-01-24\"<\/code><\/pre>\n\n\n\n
    Searching by subject and date range in all accounts and send the results to a new Google Sheet<\/h4>\n\n\n\n
    gam all users print messages query \"subject:\\\"Alert for MYNET - wireless\\\" before:2024-01-25 after:2024-01-24\" todrive<\/code><\/pre>\n\n\n\n
    This is going to be slow (think 30-45 minutes) since it searches each account one at a time. You can also use \u201cgam ou_and_children_ns\u00a0<Path\/To\/OU><\/strong>\u201d instead of \u201call users\u201d to just search a single OU. Since the message ID is going to be the same for all users, you can often just search one user.<\/p>\n\n\n\n
    Deleting an email using GAM<\/h2>\n\n\n\n
    From a single user<\/h3>\n\n\n\n
    The folllowing command will delete from the user myemail the message that matches Message ID specified after \u201crfc822msgid:\u201d (in this case 0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com<\/a>).<\/p>\n\n\n\n
    gam user myemail delete messages query \"rfc822msgid:0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com\" doit<\/code><\/pre>\n\n\n\n
    From all users<\/h3>\n\n\n\n
    gam all users delete messages query \"rfc822msgid:0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com\" doit<\/code><\/pre>\n\n\n\n
    Just like with searching all users, deleting from all users is very slow (30-45 minutes) since it iterates through all of our users. You can also target an OU (see documentation<\/a>) if needed.<\/p>\n\n\n\n
    From a group of users<\/h3>\n\n\n\n
    gam group mygroup@mygoogleworkspace.org delete messages query \"rfc822msgid:0101018d3c6c1777-3b5e6fe4-a6f7-4c0f-bxc1-75850bcb519e-000000@us-west-2.amazonses.com\" doit<\/code><\/pre>\n\n\n\n
    Like all users, this will iterate through all members of the group and can take a while to run on large groups. The message specified in the query does not have to have been sent to the list. The command is only using the group for the list of accounts to search through and delete the message from.<\/p>\n\n\n\n
    <\/p>\n","protected":false},"excerpt":{"rendered":"
    As Google Workspace admins, sometimes, we are asked to delete emails from other users accounts when the messages are sent in error or contain malware\/phishing\/etc. This is not something we do lightly and should only be done in the most extreme cases. If the message went outside your Google Workspace domain, there is almost nothing […]<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[22,21],"tags":[],"class_list":["post-297","post","type-post","status-publish","format-standard","hentry","category-gam","category-google-workspace"],"jetpack_featured_media_url":"","_links":{"self":[{"href":"https:\/\/duff.io\/index.php?rest_route=\/wp\/v2\/posts\/297","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/duff.io\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/duff.io\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/duff.io\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/duff.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=297"}],"version-history":[{"count":1,"href":"https:\/\/duff.io\/index.php?rest_route=\/wp\/v2\/posts\/297\/revisions"}],"predecessor-version":[{"id":300,"href":"https:\/\/duff.io\/index.php?rest_route=\/wp\/v2\/posts\/297\/revisions\/300"}],"wp:attachment":[{"href":"https:\/\/duff.io\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=297"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/duff.io\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=297"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/duff.io\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=297"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}