Exchange administrators sometimes need to scan an Exchange 2000 Server mailbox or public folder Store for messages that contain specific content. For example, suppose your legal or human resources (HR) department requires you to produce all messages that a certain person sent or that contain a specific keyword. More likely, management might ask you to scan the Store for all instances of a particular attachment, find messages about a particular subject, or eradicate all traces of a classified or sensitive message that was distributed too widely by mistake. Exchange doesn't offer tools for doing these tasks, but you can adapt some of Exchange's built-in tools for various content-scanning purposes. Microsoft and third-party alternatives are also available that can make this job a little easier.
Look Who's Talking
The simplest monitoring task is tracking email sent to or from a particular user. To perform this task, you need to enable message tracking on your Exchange servers. In Exchange System Manager (ESM), open the Properties dialog box for each Exchange server and make sure Enable message tracking is selected. (If you also select Enable subject logging and display, you'll be able to search the tracking logs by message subject—a handy capability.) You must turn on message tracking for all your Exchange servers; otherwise, the tracking logs will contain gaps and make figuring out what actually happened to the messages you're tracking difficult. In addition, you'll need to use the Log file maintenance controls on the General tab to adjust the retention period for tracking logs. By default, Exchange keeps logs for only 7 days, so you can't search the Store for messages older than that. By increasing the log retention period, you can search older messages. However, be careful that you don't let the logs use up all your disk space.
Tracking logs are simple text files, so if you're handy with a scripting or programming language, you can easily write code to parse, search, or analyze log files in whatever way you require. Alternatively, an automated reporting tool, such as Quest Software's MessageStats, can do some of the analysis for you.
Monitoring Mailboxes
Sometimes you might need to monitor mail to and from an individual mailbox or a set of mailboxes. You can do this three ways. The first, and usually the easiest, is to grant another account—let's call it the inspection account—Send As and Receive As permissions on the mailbox so that the inspection account can open the mailbox and read the messages. To grant these permissions, launch the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the account of the user whose mailbox you want to inspect, and select Properties. Click the Exchange Advanced tab. (If you don't see this tab, close the Properties dialog box, click the View menu, select Advanced, then reopen the Properties page.) Click Mailbox Rights. When the Permissions dialog box appears, use the Add button to grant Send As and Receive As permissions to the inspection account.
One problem with this approach is that whoever uses the inspection account must be careful not to leave any traces—users are likely to be unhappy if their mail clients show that their new messages have already been read. Be sure to set the inspection account's preview pane not to mark messages as read.
Return and delivery receipts, which Exchange generates by default when the sender requests them, cause another problem with this approach. Let's say that Alice sends Bob a message that contains a return receipt request and that Charlie is monitoring Bob's mailbox. When Charlie reads Alice's message, his client will return a receipt to Alice, who will then know that Charlie is inspecting Bob's account. To prevent this problem, either turn off return receipt handling in your mail client or use a third-party utility such as Grinning Shark Software's Watch Your Back!, which lets you control whether Microsoft Outlook generates receipts and which receipts it generates.
The second method of monitoring mailboxes is to use Exchange 2000's message journaling feature, which copies to a recipient mailbox or public folder all inbound and outbound messages for the mailboxes that are in a mailbox store. To turn on journaling, select the target message store in ESM and open its Properties dialog box. Select Archive all messages sent or received by mailboxes on this store, then use the associated Browse button to select the receiving mailbox or public folder.
The problem with the message journaling approach is that it's a per-database setting, so message journaling captures mail for all the mailboxes in the store, not just the target mailbox. The simplest solution to this problem is to create a new database, enable journaling for that database, then move the target mailboxes to the database. Be sure that the inspection mailbox or public folder has sufficient quota and disk space to hold the volume of email you expect.
The third method is to use a content-scanning product. For example, both Nemx Software's Power Tools for Exchange and CipherTrust's IronMail appliance let you journal all messages to and from particular users. However, content scanners might provide incomplete coverage. For example, an SMTP-based content scanner will have no way to catch messages sent from the target user to another mailbox on the same Exchange server—SMTP doesn't see those messages. If you decide to use such a product, be sure that it will catch all the messages you're interested in.
Previous
Register
