Solved

User would like to investigate a message that never sent

Posted on 2010-09-09
15
288 Views
Last Modified: 2012-06-27
Hi Experts,

An user is complaining that she never sent an specific email, and would like to know root cause of this.

I did trace the message from Exchange 2007 EMC, Tools, and looks like the message was sent, however it is not showing in her sent or Blackberry device

Any ideas?

0
Comment
Question by:Jerry Seinfield
[X]
Welcome to Experts Exchange

Add your voice to the tech community where 5M+ people just like you are talking about what matters.

  • Help others & share knowledge
  • Earn cash & points
  • Learn & ask questions
  • 8
  • 6
15 Comments
 
LVL 32

Expert Comment

by:endital1097
ID: 33638011
enable the recovery bin for Outlook and then go to tools, recover deleted items for the sent items folder
make sure it wasn't permanently deleted
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33638046
when you run the get-messagetrackinglog cmdlet look at the sourcecontext value
there is a mailbox guid value in there

use that value with the get-mailbox cmdlet to determine the source mailbox
0
 

Author Comment

by:Jerry Seinfield
ID: 33638128
The sourcecontext value does not have any values

Any ideas?
0
Efficient way to get backups off site to Azure

This user guide provides instructions on how to deploy and configure both a StoneFly Scale Out NAS Enterprise Cloud Drive virtual machine and Veeam Cloud Connect in the Microsoft Azure Cloud.

 
LVL 32

Expert Comment

by:endital1097
ID: 33638214
run the get-messagetracking log against the mailbox server
if there is no eventid = submit, then i would start thinking the message is spoofed
0
 
LVL 30

Expert Comment

by:Sudeep Sharma
ID: 33638542
I think the same, I believe the message is spoofed. To verify this I would ask for the headers of the email which was sent to the recipient. Could you contact the recipient and ask them to provide the internet headers of the email.

That would confirm if the message was sent from your servers or it was spoofed and sent from some other server

Sudeep
0
 

Author Comment

by:Jerry Seinfield
ID: 33638546
I ran message tracking again on hub server, and results below

something strange, that sender column has not been exported into a csv file, but i can see that row in message tracking tool
results.xlsx
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33638682
that is a powershell issue (not real issue, but reason for output problem)

like sudeep said, the easiest way to determine the source is to get the message and view the headers (i thought this left the company)
the get-messagetrackinglog must be run against the mailbox server to verify that there is a SUBMIT eventid, this would tell us that the message reached the user's outbox for delivery
without the SUBMIT it's source is not the mailbox
0
 

Author Comment

by:Jerry Seinfield
ID: 33638829
Just to clarify, this issue is for internal users, not external
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33638844
then go to the person that received the message
right-click on the message and select message options

you can track the flow of the message from the headers
if you need assistance you can post the headers
0
 

Author Comment

by:Jerry Seinfield
ID: 33639048
I ran the get-messagetracking log against the mailbox server and found there is an eventid = submit, please see attached file

Any other ideas?
resultsMB5.xlsx
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33639067
this message appears to have been sent using a bb device, look at the message id
<1B37AA611039984393B496D742F5247805DCB0F3@XCH105CNC.rim.net>

i would get the message headers from someone that received the message to verify
0
 

Author Comment

by:Jerry Seinfield
ID: 33639435
Hi endital1097,

We finally got the message headers for both sender and receiver, same as attached file, and I found it in her deleted items.

Both users swear they did not compose the message, nor send it.

Any ideas?
0
 
LVL 32

Expert Comment

by:endital1097
ID: 33639476
here is an example of the headers we would like to see:

Received: from www5.experts-exchange.com (64.156.132.145) by
 mail.contoso.com (192.168.4.7) with Microsoft SMTP Server id 8.2.176.0;
 Thu, 9 Sep 2010 13:45:08 -0400
Received: from www5.experts-exchange.com (localhost [127.0.0.1])      by
 www5.experts-exchange.com (8.14.4/8.14.4) with ESMTP id o89HliWx033477      for
 <jim@endital.com>; Thu, 9 Sep 2010 10:47:44 -0700 (PDT)      (envelope-from
 noreply@experts-exchange.com)
0
 

Author Comment

by:Jerry Seinfield
ID: 33639505
I just connected to her computer, and I found it in her deleted items…

Both users swear they did not compose the message, nor send it.

Any ideas why this happened?

Any know issues, or bug in outlook/exchange2007 I should be aware of?

0
 
LVL 32

Accepted Solution

by:
endital1097 earned 500 total points
ID: 33639550
yes, it is something they weren't supposed to send and they are denying responsibility

the fact that the tracking log shows a SUBMIT event tells us someone hit send
the only other thing you could check would be to see if someone has access to their mailbox and also send-as permission
0

Featured Post

Free learning courses: Active Directory Deep Dive

Get a firm grasp on your IT environment when you learn Active Directory best practices with Veeam! Watch all, or choose any amount, of this three-part webinar series to improve your skills. From the basics to virtualization and backup, we got you covered.

Question has a verified solution.

If you are experiencing a similar issue, please ask a related question

In-place Upgrading Dirsync to Azure AD Connect
Outlook for dependable use in a very small business   This article is about using the Outlook application (part of Microsoft Office) in a very small business, or for homeowners where dependability and reliability are critical requirements. This …
In this Micro Video tutorial you will learn the basics about Database Availability Groups and How to configure one using a live Exchange Server Environment. The video tutorial explains the basics of the Exchange server Database Availability grou…
There are cases when e.g. an IT administrator wants to have full access and view into selected mailboxes on Exchange server, directly from his own email account in Outlook or Outlook Web Access. This proves useful when for example administrator want…

729 members asked questions and received personalized solutions in the past 7 days.

Join the community of 500,000 technology professionals and ask your questions.

Join & Ask a Question