Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

CA/DA - Distribution List Membership

Created: 07 Dec 2005 • Updated: 23 May 2010 | 13 comments

Is there a way to track distribution list memberships at any given point in time in CA or DA?

Discussion Filed Under:

Comments 13 CommentsJump to latest comment

Jason Bunn's picture

I'm not sure if this is what you are asking or not but here goes.

You can set up envelope journaling on your exchange server. If you google you should find some info on how to envelope journal with Exchange. This will expand the distribution list at the time the message was sent and actually store it as part of the journaled mail. Remember this is a function of Exchange and not Enterprise Vault. I believe you need Exchange 2000 or 2003.

After Enterprise Vault Journaling grabs this type of mail and stores it the mail it can be searched with Compliance or Discovery. When found and opened in Compliance or Discovery you will see the exact members of the DL at the time the message was sent. This will actually be part of the message. I believe it will show any BCC recipients as well.

We are in the process of settting this up for testing.

Hope this helps

Carmila Fresco's picture

Jason,

I do have it set up using envelope journaling. Somehow, whenever I look at a message sent to a DL, I don't see who the members are at the time the message was received.

When you do a search in DA for a particular user, does it also bring up messages that were sent to the DL that the user is a member of?

I still have to look at the post from David.

Thanks,
Carmila

Carmila Fresco's picture

David,

So I guess it means that it's there but there's just no way to see it?

Does anyone know if they've added any feature in CA v6 that would allow us to look at who the members of the list are when a messages was sent out to the DL?

Thanks,
Carmila

David Messenger 2's picture

If you have envelope journalling turned on then you have recipient information so everything is great... but you may not have the DL membership...?!? Confused :-(

Is it that you can find all the mail sent to --John Smith-- but not all the mail sent to the --Insider Dealer-- distribution list that John may or may not have been a member of?

Is that the problem?

Carmila Fresco's picture

Yes I do have envelope journaling turned on and as far as I can tell, it's able to capture BCC's.

I guess what I was expecting was somewhere in the GUI, I would actually see that this mail was sent to DL ABC and the members are user1, user2, user3 since these things are actually captured through envelope journaling which is clearly listed in the body of the message.

It's not exactly SOX related since we're public but not in the US so we only have to deal with some of SOX but not all of it. I'm thinking more along the lines of discovery requests wherein it's very common that legal would request us to produce documents sent to user1 including all email messages sent to distribution lists that user1 is a member of. Please bear with me, I'm slowly going through the product. :)

Does EV store whatever information is included envelope message (sender, message ID, all message recipients, BCC, alternate recipients or undisclosed recipients)?

I don't remember ever being shown if it was possible to see the recipients but we did ask if it kept track of DL memberships and what I remember was them telling us that it does distribution list expansion which is a given since it's using envelope journaling.

Carmila Fresco's picture

Yup, you hit the nail right on the head.

I guess I sort of expected DA would be able to produce that kind of results for me.

Sorry, I'm at the point wherein I'm trying to figure out if our system is actually working the way it should be. Not too satisfied with how it was tested during deployment by the engineers.

David Messenger 2's picture

Carmila,

apologies for the multiple rewrites of last posting! Once I'd removed my head from my behind and read what you wrote I realised I was answering the wrong questions!

I think you aren't going to get DL searches if you have envelope journalling. If you didn't have envelope journalling you could but you'd have no proof who was in the DL. Bearing in mind that I don't use EV for anyting but mailbox archiving, I don't journal at all and I don't use CA/DA I'm hardly a subject matter expert ;-)

You've got to do an AND here I guess. If you know 4 people who were in the DL on the day you are interested in then search for the same message going to all 4 and you probably have your' DL (if it has the same messageID).

Carmila Fresco's picture

David,

No worries. Thank you anyways. I was looking at the other thread you sent out yesterday and it seems that it's being stored somewhere but it's just not accessible. I'll buy that for now and hopefully, Symantec has it somewhere in the roadmap.

The product is still so much better than the previous one that we attempted to put into production but never did because of serious problems that we discovered and brought up to their attention and their response for fixing it was to change what's in their documentation. :)

Cheers,
Carmila

David Messenger 2's picture

OK, you know we wanna know what the other product is?!? I think this is legit. EV gets a pretty good bashing up on this site so it's always good to remind ourselves why we brought it in the first place (it may be hard work but it's probably still the best product in this tier of the market).

Carmila Fresco's picture

I hope I don't get banned on this board for this. On second thought, Symantec Sales would probably have a field day once they hear about this and yes, they should take me out to lunch!

The company has just been bought out by recently (in October 2005) by a big company. I think that should give you a very good idea of who they are.

Their user interface is a lot nicer than CA and our compliance officer loved it. From the user perspective, it was the best that's currently out in the market. They gave us references and answered our technical questions however, we found out that they weren't perfectly honest with us during the sales cycle.

They used exchange journaling however, the way that they got the messages into their system was by creating a rule in Outlook that forwarded messages to an smtp address of their system. So you can imagine, the journal mailbox was filling up and they didn't have any way of actually clearing out the contents of the journal mailbox! Good thing I had a 3rd party tool that I was already using since there was no way that I was going to manually delete the email messages in the journal mailbox.

Anyways, they use some sort of fuzzy logic to capture messages for compliance. They claim that their system can distinguish between Sue -- lady's name and sue -- as in someone is going to sue you. We asked them for the search terms they're using to capture messages and they basically told us it's proprietary. So there was no way for us to test the system and figure out if the system worked properly or not (if it's capturing stuff that it's supposed to capture). Somehow, I stumbled upon a planning guide and set up the different thresholds to the levels we wanted. I then copied and pasted the examples and sent off an email for every example that they have on this document. So it should pretty much catch the emails since it said that if the threshold is set to this level, it shoud catch these set of phrases. First pass, it had a 30% failure rate. Support looked at the problem for several weeks and then tweaked this and that. Second pass, it had a lower failure rate. However, in the money laundering category (which is a very hot topic in the financial industry), it failed in 5 out of 6 of its published examples! Went back to support and it dragged on for several weeks until we got so sick and tired that our CIO called up the president of the company. The president of the company promised our CIO that they are going to fix it within 7 days. The following day, we got an email from their head of support saying that they are issuing a new planning guide and it will be released in 7 days. I was just floored when I read the email. Few days before that, I was actually joking about them changing the documentation. I never thought they would actually use that lame excuse.

Somehow, I had visions of myself and my boss in the witness stand and lawyers asking us if we were aware that the system had a problem capturing stuff for money laundering and that it was not compliant with the regulations that we were supposed to be complying with. There was no way we were going to put that piece of junk in production.

Although, they did have a better response time with their support than Symantec and I hope Symantec actually beefs up their support team since it's a little annoying paying for support and then waiting several days for someone to actually get back to you and so far, I've only opened 4 tickets with them, I have already had a bad experience wherein the engineer I was speaking with completely missed what my problem was and when I asked if there was someone else that I could talk to regarding my issue, he said that he was the best there is for CA. Scary...

David Messenger 2's picture

Carmilla,

Jezus. Cowboys.

We had a solution proposed for one of our subsidaries involving outsource and using an inbox rule to copy the mail and send it as SMTP from the Journal mailbox to their system. What a joke!

I got into soooo much trouble for this one. The boss had gone out and done a golf course deal and when I turned up and started to tell them all the reasons it was a plain awful solution they didn't like it much! I'm not allowed to talk to this bit of the business anymore :-)

I viewed it like you. Better to be unpopular than in prison!

You can't use an InBox rule to move compliance data around. Rules run out of process on the Store. they are considered by Exchange to be a nice to have. If the Store is busy it won't neccesarily fire the rule.

Crazy world isn't it?

Jason Bunn's picture

Sorry I did not get back sooner. I only have time to look out here about 1 time a week. I just learned how to do the watch function.

You already know this but I thought it may help someone else.

Envelope journaling Envelope journaling differs from message-only journaling and Bcc journaling because it permits you to archive transport envelope information (P1 message headers). This includes information about the recipients who actually received the message, including Bcc recipients and recipients from distribution groups. Envelope journaling delivers messages that are flagged to be archived by using an envelope message that contains a journal report together with the original message. The original message is delivered as an attachment. The body of the journal report contains the transport envelope data of the archived message.

So no you can't see it in the GUI. But I believe if you do a discovery and open the mail you will see the DL as it was when it was sent. I say "I believe" because I did not get a chance to run through a test yet. DA in my test env is not running. If this works I think this covers you in a legal discovery.

I also believe you can search by the To: field with one of the addresses in the DL and find it. Again I have to run through this to be sure.

We have only had a couple of discoveries from the SEC. They only have requested mail from a certain person from a certain date range. I need to do bit more envelope journaling testing.

Support has been very frustrating. I think it has gotten better though. Hopefully, they continue the amount of doc that is created and KB arricles. We have expierenced soo many issues it is rediculous.

It can't get any worse. Can it?