Friday, February 8, 2013

Message Tracking FTW


Signed, Sealed, Delivered, It’s Yours




Like a fool you went and blocked my email
Now you’re wondering if my mail’s still there
Oo baby, here it is, signed, sealed delivered, it’s yours

Then that time I went and said goodbye
Now I'm back and not ashamed to cry
Oo baby, here’s my mail, signed, sealed delivered, it’s yours

Here’s my mail baby
Oh, you've got the rules in your hand
(signed, sealed delivered, it’s yours)

Here’s my mail baby
Oh, you've got the rules in your hand
(signed, sealed delivered, it’s yours)

Outlook has a lot of foolish things
That they really didn't need
Hey, hey, yea, yea, Microsoft, oh baby

Seen a lot of things in this old software
When it touched them they did nothing, girl
Oo baby, here’s my mail, signed, sealed delivered, it’s yours, oh it’s yours

Oo-wee babe you set my phone on fire
That's why I know my mail is your only desire
Oo baby, here’s my mail, signed, sealed delivered, I'm yours

Here’s my mail baby
Oh, you've got the rules in your hand
(signed, sealed delivered, it’s yours)

Here’s my mail baby
Oh, you've got the rules in your hand
(signed, sealed delivered, it’s yours)

Outlook has a lot of foolish things
That they really didn't need
I could be a broken man but here’s my mail


Users keep telling me, “I didn’t get <person X>’s email… fix it!”


Where does one start with this issue? A couple different places
1.  Smarthost/Anti-Spam (MessageLabs, Barracuda, FOPE, Mimecast, etc)
2.  Mail Gateways (Edge Transport, IronPort, Barracuda, etc)
3.  Exchange servers

If the user was kind enough to give you message subject, sender’s email address and the approximate time it was supposed to have been sent, it’ll make your job a lot easier. Now depending on the actual system I’m looking into I take different approaches to find the message. I might start at the smarthost and then work in, or if there’s no access to the smarthost I’ll start from Exchange. My main goal is to find the message and prove that it WAS delivered into the mailbox and the user either can’t see it or it was processed by a Mailbox Rule or the Junk Mail filters and placed in a folder other than the Inbox.

While investigate a user that was reporting an issue receiving emails, I checked their server side rules through the Exchange Management Shell and was blown away by the first rule…

get-inboxrule -mailbox <User>


Description : If the message:
                   the message was sent only to me.
              Take the following actions:
                  delete the message and stop processing more rules on this message                                     
Enabled     : True
Priority    : 1

If you’re scratching your head on this one, then I can’t help you other than… “Well, that’s one way of getting out of work.” Any email that was addressed ONLY to the user would get automatically deleted. Granted, if the user was CC’ed or another user added to the To or CC, then she would receive the message. I can understand why she was having issues with her email. To test this out and to see if the OOF message that the user configured was actually working, I sent the user a test message… oddly enough when I went through the logs, I had an AHA! moment. The logs told me the EXACT folder the message was delivered… My mind was blown.

Timestamp               : 1/3/2013 3:41:30 PM
Source                  : STOREDRIVER
EventId                 : DELIVER
Recipients              : {user@righthandedexchange.com}
RecipientStatus         : {Deleted Items}
MessageSubject          : Test Message
Sender                  : dontspamme@righthandedexchange.com

Up until this moment, I was only looking for the DELIVER event ID to prove that it was received in the mailbox, but could only give the user a guess on where it might have gone (check the junk mail folder, check your deleted items, etc). I decided to put my theory to the test, can I reproduce the results and gather the correct information for multiple users…

I came up with a parser for a given set of Message Tracking results

      
       #Modify to grab the desired result set (add –Sender, -Recipients, -MessageSubject, etc)
$results= Get-TransportServer |get-messagetrackingLog -EventID deliver

#Parse the data
$MessageResults=@()
$results|%{
      #Check Each Recipient to see where messages was delivered
      for ($i = 0; $i -le $_.Recipients.Count -1; $i++)
      {
            $temp=$_|Select TimeStamp, ClientHostName, ServerHostName, SourceContext, Source, EventID, InternalMessageID, MessageID, TotalBytes, Reference, MessageSubject, Recipient, DeliveredFolder,Sender, ReturnPath, MessageInfo, EventData
            $temp.Recipient=$_.Recipients[$i]
            $folder=$_.RecipientStatus[$i]
            #Grab the folder path from get-mailboxfolderstatistics
            if ($folder) {$temp.DeliveredFolder=$folder}
            else {$temp.DeliveredFolder="Inbox"}
            $MessageResults+=$temp
      }
}

$MessageResults|Select TimeStamp, Sender, MessageSubject, Recipient, DeliveredFolder, MessageID

So… What does that mean… and how do I read it? Here’s a sample

Timestamp       : 1/10/2013 12:32:47 PM
Sender          : dontspamme@righthandedexchange.com
MessageSubject  : Ding Dong the Witch Is Dead
Recipient       : User@righthandedexchange.com
DeliveredFolder : Inbox
MessageId       : 6BF60522B0D63649900CEE7AF6B582530BBFDB4D@server.righthandedexchange.com

Another example being moved to the user’s Junk

Timestamp       : 1/10/2013 12:32:47 PM
Sender          : User@righthandedexchange.com
MessageSubject  : Which Old Witch?
Recipient       : dontspamme@righthandedexchange.com
DeliveredFolder : Bad Puns Folder
MessageId       : ADKAJFE3W85463W7TESDG8453843@server.righthandedexchange.com

Keep in mind, this doesn’t take into consideration any Client-Side rules that only run with the user opens Outlook but those rules aren’t as common as the server-side rules.

By the way… I fixed the user’s rules…
Get-InboxRule <user>|Remove-InboxRule

Magically… the user started seeing a lot more email in the Inbox… Who would have thought?

No comments:

Post a Comment