Exchange 2010 Rule-...
 
Notifications
Clear all

Exchange 2010 Rule-based Forwarded Email

3 Posts
2 Users
0 Likes
881 Views
(@matrix)
Posts: 21
Eminent Member
Topic starter
 

Hello Everyone,

I am working on a case where an ex-employee (the Exchange Admin) received some confidential emails after they had left their employer. I have checked the Exchange Message Tracking logs and have not found any email being sent to this individual. I have also checked the log’s ‘SOURCE’ field for the presence of ‘MAILBOXRULE’ (indicates an end-user created mailbox rule) and nothing.

I know that email can also be forwarded through two other methods

1. Exchange administrator can create forwarding rules for mailboxes from Exchange itself.
2. Exchange administrators can create a transport rule to send copies of emails sent or received by certain users to another mailbox.

Does anyone know if Exchange records the sending of email via Transport rule and AD/Exchange level forwarding? If so, how is it recorded in the Message Tracking logs? Can these emails be identified through some other logs?

I will be speaking to the new Exchange Admin to see if these two rules are active. The problem with this is whether the rules have been deleted. The emails in question were sent 11 months ago.

The company is using Exchange 2010.

Thanks ahead of time.

 
Posted : 10/09/2014 7:40 pm
(@wquant)
Posts: 8
Active Member
 

I am not sure I can help, but I think understanding how you know the email was sent to them would be helpful. I assume it is implied that the email was sent to his personal address? If so how do you know that.

Could it be as simple as someone telling him about the emails or maybe he had credential past the time of his employment to see email traffic?

Back-ups for the exchange system might be archived back that far.

 
Posted : 11/09/2014 12:23 pm
(@matrix)
Posts: 21
Eminent Member
Topic starter
 

Thank you for the reply. You are correct when you say understanding how the email was sent would be helpful. That is exactly what I am trying to figure out.

I know that the user's logon account had been disable along with a password change. The other parties involved said they had no contact with the individual. All admin passwords were changed and a review of existing accounts was performed. No rogue accounts were found.

I have found some info regarding mail forwarding and Message Tracking logs. Mail send by end-user created mailbox rules show up in the Message Tracking logs as "MAILBOXRULE" in the SOURCE field.

Email that underwent some form of mail routing are identified as "ROUTING" in the SOURCE field.

Messages that are handled by the use of the alternateRecipient, are identified by a "REDIRECT" event in the message tracking log.

Email sent by the transport rule can be identified in the Application event log, if and only if the system has been set to record transport rules.

Does anyone know what file contains Exchange rules and actions?

 
Posted : 11/09/2014 9:12 pm
Share: