Track Email Message and User

Posted on 2009-12-22
Last Modified: 2012-05-08
Good Day,

We run an exchange 2007 environment that consist of 2 servers.
An Edge server, and another server that has the CA, HT and Mailbox roles configured.
All of our users run Outlook 2007.

We suspect that a message was sent illegally from one of the users within our organization.
How do we search for that message or track it using certain words (or a string of words)? And can run the search under one particular user or will it just search entire mailbox database for messages that include those words or string of words?
Question by:Treadstone21
    LVL 6

    Accepted Solution

    Assuming that message tracking is enabled for your organization, then this tutorial should get you all the info you neeD: (also read part 2)
    LVL 65

    Assisted Solution

    Message tracking will only give you information on the subject line, to and from. Nothing about the body.
    For body type searches you will need to use export-mailbox.

    This article from the MS Exchange team pretty much explains the scenario.

    LVL 7

    Assisted Solution

    This will only work for messages that are still in existence in some form in an inbox, sent items, deleted folder etc.  So, if your user is semi-savi and knows to delete messages from all folders then it's gone.   In order to guarantee you can track all messages in the future, you can use journaling.  Here's a good article.

    I recommend using journalling with a 3rd party product such as arcmail that accepts the journalled email and indexes it for fast retrieval. Read the "Now where did that email go?" blog at for info.


    Author Closing Comment

    The journaling suggestion is very helpful
    LVL 6

    Expert Comment

    btw, I just implemented a great archiving tool: Mimosa NearPoint. It's got its quirks, but the great thing about it is that it archives all items in your Exchange enviroment - no matter what, at zero impact to your Exchange servers (contrary to what journalling does). The way they're dealing with mail makes it useful for forensic purposes - which, in effect, is what you're doing here. Plus, of course, it allows you to slim down your Exchange db's by archiving to the archive and the deleting online content.  and no, I don't own any of their stock :-)

    Write Comment

    Please enter a first name

    Please enter a last name

    We will never share this with anyone.

    Featured Post

    Want to promote your upcoming event?

    Are you going to an event? Are you going to be exhibiting at a tradeshow? Talking at a conference? Using a promotional banner in your email signature ensures that your organization’s most important contacts stay in the know and can potentially spread the word about the event.

    Learn more about how the humble email signature can be used as more than just an electronic business card. When used correctly, a signature can easily be tailored for different purposes by different departments within an organization.
    Check out this infographic on what you need to make a good email signature that will work perfectly for your organization.
    Get people started with the process of using Access VBA to control Outlook using automation, Microsoft Access can control other applications. An example is the ability to programmatically talk to Microsoft Outlook. Using automation, an Access applic…
    In this video we show how to create a User Mailbox in Exchange 2013. We show this process by using the Exchange Admin Center. Log into Exchange Admin Center.: First we need to log into the Exchange Admin Center. Navigate to the Recipients >> Mailb…

    758 members asked questions and received personalized solutions in the past 7 days.

    Join the community of 500,000 technology professionals and ask your questions.

    Join & Ask a Question

    Need Help in Real-Time?

    Connect with top rated Experts

    13 Experts available now in Live!

    Get 1:1 Help Now