Email changing outlook 2003/exchange 2010

If user X sends user Y an internal email using the corporate exchange 2010 server. If say for example the text of the email body changed somewhere (both use outlook 2003 to send and receive email), how could you see who edited the actual email body, i.e the sender or the recipient?

Say user Y has an email in there sent box with one version of the email. And user X has it in their inbox with a totally different email body text, how could/can you check which one of them maliciously edited the email body text?


Could it be user Y sends and email, then decides “Oh no I didn’t mean to send that that will get me in trouble I’ll edit my sent email and then blame then on changing it maliciously at their end”.

Or could it be user X receiving the email, then decides “Ah I’ll change this and report on them for sending inappropriate email” so decides to edit the email in their inbox and then leave it there – and then as the sender has deleted their sent email and emptied trash can and its expensive to restore a backup etc etc etc

What audit logs show amendments to email body text and/or attachments? Can you assist on how or where audit logs or modification may be shown? Be it on the client side or on the exchange server side?

How can you prove the item in the sent box and the item in the recipients inbox, if they don’t match – how can you prove who was being naughty and editing it?
Who is Participating?

[Product update] Infrastructure Analysis Tool is now available with Business Accounts.Learn More

I wear a lot of hats...

"The solutions and answers provided on Experts Exchange have been extremely helpful to me over the last few years. I wear a lot of hats - Developer, Database Administrator, Help Desk, etc., so I know a lot of things but not a lot about one thing. Experts Exchange gives me answers from people who do know a lot about one thing, in a easy to use platform." -Todd S.

William BoydCommented:
A user can't typically edit a message in their inbox.  Obviously, they can make changes when they forward it, but if the message is resident in the inbox then it should not generally be able to be changed.

I think what you're looking to achieve is "non repudiation"...a $10 word that basically means that once a message is sent, the sender cannot deny sending it. That typically requires signatures.  The upside to this setup is that the content of a signed message cannot be changed without stripping off the signature.

The issue that you'll probably run in to - even if your backups are good enough for you to pull each message from the Exchange logs and reverse-read the trail to find the anomaly - is that the sender can always claim that he or she was compromised in some fashion.  While each user has an individual account, there's always the chance that an account could be accessed by someone else (either an unlocked and unattended workstation or an actual break-in).  While it isn't necessarily likely, it is plausible enough to preclude "proof".

Digital signatures can be implemented in conjunction with two-factor authentication if you're looking for a way to enable your infrastructure to facilitate non-repudiation.  Natively, though, there are simply limits to what you can feasibly "prove".

Disclaimer - as a government employee, we have some pretty strict rules about how far we can dig before calling in a legal authority.  I am not familiar with what privacy laws mandate outside of our circles, but to dig in and look to that level of depth for us without a legal mandate (such as a warrant) would be a no-no.

Experts Exchange Solution brought to you by

Your issues matter to us.

Facing a tech roadblock? Get the help and guidance you need from experienced professionals who care. Ask your question anytime, anywhere, with no hassle.

Start your 7-day free trial
You can modify the view and add columns in outlook to see who modified it and when. The columns which needs to be added are,

Changed By

If the email dont exist you can trace the message through Message Tracking.

If the HTML is changed to Plain text then their is some other issue might be related Anti-virus on Mailing server.
pma111Author Commented:
I just opened an email in my inbox (outlook 2003), right clicked the email, chose "edit message" from the popup menu, and then file > save and its changed it.
The 7 Worst Nightmares of a Sysadmin

Fear not! To defend your business’ IT systems we’re going to shine a light on the seven most sinister terrors that haunt sysadmins. That way you can be sure there’s nothing in your stack waiting to go bump in the night.


Now you add the column in the through the view and check when modified and who modified.
pma111Author Commented:

Are you on about "field choser"? I cant see the 2 fields you mention, what version of outlook are you using?
William BoydCommented:
Right-click on the bar above your messages (From, Subject, Received) and select "Field Chooser".  In the drop-down that pops up, select "All Mail Fields".  This is where you will find "Modified" and "Changed By".

Your changed still in your Inbox?  Or did it save in Drafts?  I am admittedly handicapped because I am working with Outlook 2010.  If a message can be changed in the Inbox that way, then either we have always had a GPO to disallow this, or I am just undereducated...  :-)
pma111Author Commented:
For some reason - modified date/time seems accurate, but "changed by" just seems blank? Any idea why?
William BoydCommented:
Mine does the same thing.  It either shows my own name or nothing.
pma111Author Commented:
It seems to be a machine issue. I tested 5 mailboxes from 5 individuals. 2 of these have the same device, the other 3 have a different device. On 2 the modified and changed by field is accurate. On the other 3 the modfiied updates if you edit it but the changed by stays blank. Weird!
William BoydCommented:
Are any using PST files?  That could have an effect.
pma111Author Commented:
All have a PST open but the edited by was in the inbox not the PST archive.
pma111Author Commented:
I wonder if you can view "changed by" on the server side, albeit I cant access exchange like an admin.
I am using outlook 2010 in cached mode and can see the proper user modifed name and change date.

I assume blank means it is the default message which means not modified and when you change it yourself then your name is displayed.
pma111Author Commented:
>>I assume blank means it is the default message which means not modified and when you change it yourself then your name is displayed.

No, when I modify it the modified date changes but the changed by name doesnt change at all, i.e. it remains blank. I am not sure how to check if I am running "cached mode" but I am using 2003 not 2010. How can I check?
pma111Author Commented:
I think I am running cached mode. Maybe I'll untick that and see if it makes a difference.
Ok Share your findings. Also see what SP level you are working on. Please update the lastest Service pack for office.
pma111Author Commented:
Yes, unticked use cached mode, restart outlook, edit an email and it works!
Thats good.
It's more than this solution.Get answers and train to solve all your tech problems - anytime, anywhere.Try it for free Edge Out The Competitionfor your dream job with proven skills and certifications.Get started today Stand Outas the employee with proven skills.Start learning today for free Move Your Career Forwardwith certification training in the latest technologies.Start your trial today
Email Servers

From novice to tech pro — start learning today.