Track what happened to an email after it was delivered on the Exchange Server

exchange-2007

My company is using Exchange 2007, Windows 2008 Server, Outlook 2007. One specific user claims she never received an important email. Using the Message Tracker in Exchange, I can see that the message was delivered (EventID: DELIVER Source:STOREDRIVER) to the correct person.

I'd like to be able to determine if the message was deleted or moved (or read) after it was delivered. Is there any way to track this, short of entering the user's mailbox and searching all folders and the Delete Retention?

Update
The User says the message "showed up in my inbox this morning. I know it wasn’t there all weekend. Something weird is going on with my inbox." Issue resolved IMO.

Best Answer

If your logs are showing the mail was delivered to the SERVER then I think the only step beyond that (if you choose to do so) is to look in the user's mailbox, etc.

This sounds like a bit of an "office politics" thing, am I correct?

If that's the case then I personally would probably just stop at this point and show the email was deleivered to the server and leave it at that. Trying to prove users are lying never ends up good.

People like to blame "computers" for everything. ;-)

I recently had a case where a user "stored" emails in their "Trash" folder (don't ask why) and then lost over 600 of their "stored" emails when the trash folder was deleted. They INSISTED someone logged into their email account and emptied the trash.

Aside from the obvious (DON'T save things in your TRASH folder) I was able to prove it was NOT conspiracy by grabbing screen shots and the proxy log for that computer. The user CLEARLY (accidentally) deleted their own Trash folder. (web based email client)

Their response... "Well I don't know if I was FOR SURE sitting at my PC between 4:45pm and 5:00pm... someone could have come along and deleted it!"

At this point its very important to just "state the facts". I'm not saying YOU did it... I'm saying that YOUR PC issued a deleteFolder command at exactly 4:47pm. So, whoever was sitting at your desk at 4:47pm did it.

End of story. ;-)

Related Solutions

Security – How to inspect remote SMTP server’s TLS certificate

You can use OpenSSL. If you have to check the certificate with STARTTLS, then just do

openssl s_client -connect mail.example.com:25 -starttls smtp

or for a standard secure smtp port:

openssl s_client -connect mail.example.com:465

Powershell – Retrieve a user’s Exchange database in powershell

This should get you on the right track, the caveat being that you'd need the AD powershell stuff working; this requires at least one 2008R2 DC.

GetADUser -Identity "$RUser" -Properties homeMDB

On a side note, careful with your word-auto-formatted directional quotes - I don't know off the top of my head whether Powershell plays nice with those, but they certainly did a number on StackExchange's code coloring.

I don't envy you trying to do this in powershell - be careful to validate the inputs that are user enterable, and log the results of the commands.

Edit: You know what, that property from AD would probably not be formatted how exchange wants it. Try this instead (and won't need 2008R2):

$RData = (Get-User -Identity "$RUser" | Get-Mailbox | Select-Object Database)

Best Answer

Related Solutions

Security – How to inspect remote SMTP server’s TLS certificate

Powershell – Retrieve a user’s Exchange database in powershell

Related Topic