CC recipient receives email but TO recipient does not
Hello Experts,
This is an odd one for you guys. I have a user who did not receive a message that was sent to him directly and CC'd to another employee. BUT, the CC'd employee DID receive the message though. How is this possible?
My email flow is as follows - First touch is McAfee MxLogic Spam filter in the cloud, then onto a Cisco IronPort on my local LAN, then onto my internal Exchange 2007 server which then Journals the message for Global Relay to pickup and archive...
For clarity, let's call the TO recipient User_TO, and the CC'd recipient User_CC...
I begin my search for this message at Global Relay, a third party email archiving solution in the cloud. According to them, User_TO & User_CC both recieved the message in question. User_TO insists he did not so i run the same search against the message tracking log in Exchange. Sure enough, the logs report that USER_TO did NOT receive the message. The logs only show the CC recipient receiving the message!
So i jump into the Exchange Management Shell and using export-mailbox, pull the message in question into a .pst from User_CC's account. I open the .pst and the message does show USER_TO's email address in the To field. I run the same cmdlet against USER_TO's account and the message is no where to be found.
This doesn't make any sense so my next next search is against the Ironport. It gets interesting here because i find the message in question in the logs but the envelope recipient listed is USER_CC. USER_TO is NOT listed anywhere...
Since the Ironport hands the messages off to the exchange server, it makes sense that the logs in exchange don't show USER_TO as that user is not in the header according to the Ironport. But, how on earth is the message showing USER_TO in the USER_CC's inbox and in the Global Relay/Journalled copy?!
USER_TO is in panic mode as he may lose his job over this. The message was very critical & they think he's lying. I want to tell management he's not lying but i have conflicting records of what happened to this message AND USER_CC (his manager) has a copy of this message with USER_TO in the header! I also want to dscover if my email flow is flawed somehow. Any guidance here would be greatly appreciated...
IronPort-log-for-EE
This is an odd one for you guys. I have a user who did not receive a message that was sent to him directly and CC'd to another employee. BUT, the CC'd employee DID receive the message though. How is this possible?
My email flow is as follows - First touch is McAfee MxLogic Spam filter in the cloud, then onto a Cisco IronPort on my local LAN, then onto my internal Exchange 2007 server which then Journals the message for Global Relay to pickup and archive...
For clarity, let's call the TO recipient User_TO, and the CC'd recipient User_CC...
I begin my search for this message at Global Relay, a third party email archiving solution in the cloud. According to them, User_TO & User_CC both recieved the message in question. User_TO insists he did not so i run the same search against the message tracking log in Exchange. Sure enough, the logs report that USER_TO did NOT receive the message. The logs only show the CC recipient receiving the message!
So i jump into the Exchange Management Shell and using export-mailbox, pull the message in question into a .pst from User_CC's account. I open the .pst and the message does show USER_TO's email address in the To field. I run the same cmdlet against USER_TO's account and the message is no where to be found.
This doesn't make any sense so my next next search is against the Ironport. It gets interesting here because i find the message in question in the logs but the envelope recipient listed is USER_CC. USER_TO is NOT listed anywhere...
Since the Ironport hands the messages off to the exchange server, it makes sense that the logs in exchange don't show USER_TO as that user is not in the header according to the Ironport. But, how on earth is the message showing USER_TO in the USER_CC's inbox and in the Global Relay/Journalled copy?!
USER_TO is in panic mode as he may lose his job over this. The message was very critical & they think he's lying. I want to tell management he's not lying but i have conflicting records of what happened to this message AND USER_CC (his manager) has a copy of this message with USER_TO in the header! I also want to dscover if my email flow is flawed somehow. Any guidance here would be greatly appreciated...
IronPort-log-for-EE
ASKER CERTIFIED SOLUTION
membership
This solution is only available to members.
To access this solution, you must be a member of Experts Exchange.
ASKER
USER_TO is an internal contact.
If he deleted it, it's not a recoverable deleted item. There were other delete items recovered from the day in question but not the message we're looking for. I really don't think he deleted it only because the Message Tracking logs in the Exchange server don't list him as ever receiving it. I've searched the Exchange logs for every available EventID and nothing for USER_TO comes up. Only USER_CC comes up. Same can be said for the Ironport logs.
As much as i would love to, i cannot have the original sender resend the message repeatedly as he is a customer and it wouldn't be possible to tie up a customer to help us with an internal IT issue. We may lose the customer or at best annoy the him.
I confirmed that the sender could not have gotten USER_TO's address wrong as the sender was replying to en email thread started by USER_TO...
I don't quite see how clearing the views will show the message if i can't even see it in the USER_TO's inbox using server side tools...
I was busy with other projects toady, but tomorrow i'll spend some more time at USER_TO's desk checking his rules. I will also check the GAL as you've suggested.
Thanks for the help! I'll report my findings tomorrow.
If he deleted it, it's not a recoverable deleted item. There were other delete items recovered from the day in question but not the message we're looking for. I really don't think he deleted it only because the Message Tracking logs in the Exchange server don't list him as ever receiving it. I've searched the Exchange logs for every available EventID and nothing for USER_TO comes up. Only USER_CC comes up. Same can be said for the Ironport logs.
As much as i would love to, i cannot have the original sender resend the message repeatedly as he is a customer and it wouldn't be possible to tie up a customer to help us with an internal IT issue. We may lose the customer or at best annoy the him.
I confirmed that the sender could not have gotten USER_TO's address wrong as the sender was replying to en email thread started by USER_TO...
I don't quite see how clearing the views will show the message if i can't even see it in the USER_TO's inbox using server side tools...
I was busy with other projects toady, but tomorrow i'll spend some more time at USER_TO's desk checking his rules. I will also check the GAL as you've suggested.
Thanks for the help! I'll report my findings tomorrow.
I would look at USER_TO Deleted Items, If not there I would also look at
Deleted Items Option, recover deleted Items