Transport Rules: Beating smart users.

Experts,

I have a problem.  My users are smarter than my transport rules.  Let me explain in further detail.  I have created transport rules on my Exchange 2007 SP1 server to disallow the sending of attachments to particular distribution groups.  My users have figured out that they can manually select those specific users and then send the attachments that they want to send.  I had a user in HR select all of the employees manually, close to 5000, and send her attachments out, which totaled 1 Meg x5000.
What I am trying to accomplish is rather simple.  I would like to create a transport rule that will not let a user send attachments if the To Field is greater than 30 users.  I know this has to be possible via power shell, as the predefined syntax/rules will not let you word it in such a way; however, I haven't found any type of syntax that supports this.  Any direction would be great.

Thanks!
LVL 3
LEAD SupportAsked:
Who is Participating?
 
UbuntopConnect With a Mentor Commented:
Looking at this link:
http://www.exchangeninjas.com/Transportrules

It shows only a few of the transport rules can take regular expressions.  Like I said, I have been playing with this a little (been really busy lately), and it seems a little misleading.

To test; I used 'HeaderMatches' = To.  Or the GUI name is "when the message header contains text patterns"=To.  Then for the value I entered a string within an outbound email address and it successfully logs the event. This proves that you can use "To" in the header rule.

Now, using regex with this is where it gets weird. After messing with it forever, the two regular expression patterns below should trigger on 5 or more '@' symbols.

([^@]*@[^@]*){5}
-OR-
([^@]*@[^@]*[^@]*@[^@]*[^@]*@[^@]*[^@]*@[^@]*[^@]*@[^@]*)

I tested this on several regular expression test engines and it works fine. However, I just cannot seem to get it to work in Exchange, but it should.  I think that the problem is that the regex engine in Exchange cannot handle multiple matches, while the standard posix regix can.  It really makes the regex functionality in exchange limited.

I am going to keep looking for a solution, because I want to implement the same kind of rule in my environment.  I will post my findings if anything surfaces.   Perhaps you can try some variations of the patterns above.
Here is a page to test the regex patterns.
http://www.javaregex.com/test.html


0
 
UbuntopCommented:
I plan to investigate your issue tomorrow at work.  I have a similar transport rule, but it has been a while since I looked at it.

I did want to point out something about your comment; 1Meg x5000.  This is not entirely accurate.  It essentially breaks down to 1 Meg per store, due to single instance storage.  In other words, all of those attachments are stored as one.  Unless you are specifically concerned with cached mode and/or pop users bandwidth as they grab the file; then nevermind.

One other thing, in certain versions of outlook, you can load the distribution group (To:), then expand it fully to individual users by clicking the plus sign next to it.
0
 
LEAD SupportAuthor Commented:
Right, I understand SIS and how it works, but on the other hand you have to also realize that almost all of these users have black berry's and they are running cached mode on outlook.  So tons of network traffic.

All of my users are on Office 2007; however, only certain authenticated users have permissions to send to those particular distribution groups.  Also, I do not allow my users to enumerate users in the distribution groups they do not have access too.  The majority of these distribution groups are mainly ones of geographical location.

Ubuntop, if you do have a rule similar to this that would be great.  I really appreciate it!
0
Free tool for managing users' photos in Office 365

Easily upload multiple users’ photos to Office 365. Manage them with an intuitive GUI and use handy built-in cropping and resizing options. Link photos with users based on Azure AD attributes. Free tool!

 
UbuntopCommented:
Sorry Leadcrew for the delay in response.

In the Transport Rule, Conditions section, there is a option called "when the message header contains text patterns".   These text patterns can take regular expressions (regex); furthermore you can set the header to "To" or "CC" without quotes.  Your specific need is not identical to my existing rule so this is going to take some testing.  Luckily you can have the rule only apply to your email address.

The following two links talk about the regex that exchange 2007 supports.
http://www.exchangeninjas.com/textpatterns
http://technet.microsoft.com/en-us/library/aa997187.aspx

To sum it up, you may need two separate rules that will only activate if X amount of recipients are in either the To or CC field.  The regex pattern will be something like [*@*]{30,} to trigger on 30 or more @ symbols (thus 30 recipients).  Test this out, my regex skills are not that great. The pages above should help.  I am going to try to achieve the same result right now.


The other option is to create a custom Transport Agent to write the "recipient-count" to a header field.  If you have any skills with C# and have VS2005, it is not that daunting of a task.
0
 
LEAD SupportAuthor Commented:
Okay thanks.  I had a power outage last night.  Once I recover from that I will post my response, but it looks very promising!
0
 
LEAD SupportAuthor Commented:
Okay, I'm having a little trouble with it.  This is how the rule reads:

Apply rule to message
when the AnyOfToCcHeaderMemberOf contains [/w*@*]{25,}
Do stuff

What do you think?
0
 
LEAD SupportAuthor Commented:
Sorry, the above message was a type it should read like this:

Apply rule to message
when the AnyOfToCcHeaderMemberOf contains [\w*@*]{25,}
Do stuff
0
 
LEAD SupportAuthor Commented:
I changed the header to be: AnyOfToCcHeader and still no love
0
 
LEAD SupportAuthor Commented:
You said it.  I contacted Microsoft and this is not possible, or so they say.

I looks like the users win.
0
 
pi01162Commented:
Hi,
Did you find a solution for catch more than X recipients by transport rule? I need that to prevent users send email to external recipients.
0
All Courses

From novice to tech pro — start learning today.