EMail Chain of Custody Probe
I have a SENDER who sent an email (see attached) on 10/14 (according to what's displayed in her sent items box). SENDER insists she sent the email on that date. The RECIPIENT shows THAT email as SENT on 10/18 in the header on his machine. Server Message Tracking shows only ONE of the 4 emails sent between the two for this subject on 10/20.
SENDER suspects internal email problem. No DELAY messages were received by the SENDER (As far as I know).
I need to get the forensics right on this one because this is an email toxic (no tolerance for error) environment. How do I:
a) outrule an internal problem?
b) show that the email may have been added to the SENDERS Delayed email schedule
c) reconcile the differences displayed for the sent date on the SENDER/RECIPIENT'S Machines.
Footnotes: SENDER is an Exec Secretary who routinely uses the delayed email function. RECIPIENT is a part timer who's laptop is usually in sleep mode several times a week. No other staff (of 40) report similar issues. SENDER has had corrupted Outlook cache issues before... No other staff (of 40) report similar issues. No other staff has had (reported) anything similar.
SENDER suspects internal email problem. No DELAY messages were received by the SENDER (As far as I know).
I need to get the forensics right on this one because this is an email toxic (no tolerance for error) environment. How do I:
a) outrule an internal problem?
b) show that the email may have been added to the SENDERS Delayed email schedule
c) reconcile the differences displayed for the sent date on the SENDER/RECIPIENT'S Machines.
Footnotes: SENDER is an Exec Secretary who routinely uses the delayed email function. RECIPIENT is a part timer who's laptop is usually in sleep mode several times a week. No other staff (of 40) report similar issues. SENDER has had corrupted Outlook cache issues before... No other staff (of 40) report similar issues. No other staff has had (reported) anything similar.
ASKER
FDiskWizard: There's no header information in the SENDER or RECIPIENT'S email. The two users are here locally - members of the same (single) domain and under the same roof...
Yes, realized after sending that this was all INTERNAL.
If user submited at 10am, and delayed until 11am it would not show in as submitted in message tracking until 11am... The recipient's copy should show the SENT and Received timestamps.
You mentioned only 1 of 4 emails showed in tracking...
Do your message tracking logs go back more than a couple of days?
doubtful, but maybe your user has a bad address in contacts for this person? Or do your message logs go back sever
I had something similar not long ago. I had a bad email address on a contact. I sent the email, no errors, but he didn't get it. It didn't show in tracking because I was tracking the wrong address... :)
So, you may want to track on the sender's display name only for sent or received.
If user submited at 10am, and delayed until 11am it would not show in as submitted in message tracking until 11am... The recipient's copy should show the SENT and Received timestamps.
You mentioned only 1 of 4 emails showed in tracking...
Do your message tracking logs go back more than a couple of days?
doubtful, but maybe your user has a bad address in contacts for this person? Or do your message logs go back sever
I had something similar not long ago. I had a bad email address on a contact. I sent the email, no errors, but he didn't get it. It didn't show in tracking because I was tracking the wrong address... :)
So, you may want to track on the sender's display name only for sent or received.
I did a couple of tests... the first two had a different SENT vs Received time (sent is shown when email is opened..) The 3rd test, I just submitted, let it sit in the Outboux, and let it deliver in 5 mins. The first two I think I had opened/edited delivery after they were sitting in the Outbox. The timestamps varied.
The 3rd had the exact same time stamp... but in Sent-Items shows close to 6mins before.
I just did another with < 2 min delay like the first two. it had different timestamps. It also went over the a.m. to PM (noon)
Odd/interesting stuff. Don't know if any of that helps, but throwing it out there.
The 3rd had the exact same time stamp... but in Sent-Items shows close to 6mins before.
I just did another with < 2 min delay like the first two. it had different timestamps. It also went over the a.m. to PM (noon)
Odd/interesting stuff. Don't know if any of that helps, but throwing it out there.
OK, one more track to lead you down... based on the theory that maybe the emails were stuck in the Outbox. The image had a early a.m. timestamp.. Maybe just turned on PC/laptop?
Track emails from the sender around that time - see if say 5 emails went at about the same time. It's hard to type/send 5 emails per minute...
Any rules in her Outlook to auto-delay emails being sent?
Track emails from the sender around that time - see if say 5 emails went at about the same time. It's hard to type/send 5 emails per minute...
Any rules in her Outlook to auto-delay emails being sent?
ASKER
FDiskWizard: Thanks for this feedback. I did the email tracking for the entire month (and every way you might slice and dice) and only one email in the sequence (spanning from October 4th -20th) showed up - the one on the 20th. This actually DOES support your theory that the SENDER may not have used the correct address on the 14th.
Either way, the fact that you thought through trying to reproduce the problem - and can may be enough exoneration in and of itself. In other words, there may be a time stamp bug...
Either way, the fact that you thought through trying to reproduce the problem - and can may be enough exoneration in and of itself. In other words, there may be a time stamp bug...
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
FDiskWizard: Good one. I'll have a look ASAP!
So, did that work out for you?
ASKER
Thanks for your help - I don't think any one response hit the mark in this case but your responses were useful.
Even if hopping through different timezones: It should still have say 6Mins after the hour the whole way on all of the timestamps: i.e. 12:06:10 +/-timezone.
Normally it should only take seconds to traverse the path to the mailbox.
So, did they receive these 4 emails sent back and forth? Or just one?