Video Screencast Help
Symantec to Separate Into Two Focused, Industry-Leading Technology Companies. Learn more.

EV duplicate items with journaling

Created: 07 Feb 2013 • Updated: 05 May 2013 | 14 comments
This issue has been solved. See solution.

Hi

Environment is EV 9.0.2

This isn't really an EV issue, but a combination of factors, and thought I would try my luck picking your brains.

Have email journaling going from Exchange server A (journalmailbox_email) to EV9 server, Vaultstore_email

Have IM journaling going from Exchange server A (journalmailbox_IM) to EV9 server, Vaultstore_IM (these are IM transcipts emailed from a 3rd party product to a dedicated IM journaling mailbox)

The product we have that emails IM transcripts to the journalmailbox_IM maibox, spoofs the email headers so the emails appear to be sent directly from/to the people particpating in the IM conversations.

The net result of this is:

1. IM are journalled from Exchange server A (journalmailbox_IM) to EV9 server, Vaultstore_IM - this is the correct behaviour

2. As a result of the email header spoofing, IMs that get emailed to the journalmailbox_IM mailbox, also get journaled as regular emails because Exchange seems them as normal emails to be journaled, this means they also wind up in Vaultstore_email -  this is incorrect (undesired) behaviour

Any suggestions to remediate this? Thanks!

Comments 14 CommentsJump to latest comment

Rob.Wilcox's picture

Two things -

Prevent them getting to the journal mailbox

* setup journaling rules (Exchange 2007 or higher)

Custom Filtering once they hit the journal mailbox

* You could write a custom filter rule (maybe) to not journal archive the items via EV

AndrewB's picture

so you're journaling the "journalmailbox_IM" mailbox? can you move it to its own store without journaling enabled?

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

goatboy's picture

>> * setup journaling rules (Exchange 2007 or higher)

Unfortunately still running Exchange 2003 blush

>> * You could write a custom filter rule (maybe) to not journal archive the items via EV

I looked into this, we already do some custom filtering, but the options are pretty limited (e.g. no option to not archive an email based on an originating server IP) so don't think that will work. These items still need to be journaled, it's just that they are currently getting journaled twice. The IM and Email journaling is in the same site and therefore shares the same custom filter. I guess I could have a custom filter to send stuff to a specific vault store based on subject, but I think I will still end up with duplicates.

EDIT - also thought about a transport rule to change the message class of the IMs and have the custom filter archive based on that... but no transport rules in Exchange 2003.

>> so you're journaling the "journalmailbox_IM" mailbox? can you move it to its own store without journaling enabled?

We could, what would that give us? We need to journal these IMs for compliance purposes. Are you proposing we archive that mailbox instead of journaling it?

Thanks!

Rob.Wilcox's picture

Put this mailbox:

 (journalmailbox_IM)

On it's own Exchange Information Store, and don't enable journaling for that particular store.

Then you can either 'archive' that mailbox or target it with journal archiving (i'd suggest the former)

goatboy's picture

Sorry, I was mistaken journalmailbox_IM is not journaled, it is an ordinary mailbox just targeted for journal archiving.

AndrewB's picture

in exchange 2003, journaling is at the store level. is the journalmailbox_IM in its own store where journaling is not enabled?

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

Rob.Wilcox's picture

Okay, so please re-summarise.

And try to explain why things are being archived/journaled twice.. and where.

MichelZ's picture

And try to mention actual product names, this might also be helpful.

goatboy's picture

Thanks all. Let me try to clarify:

1. We have a 3rd party product from Actiance called Vantage which proxies IM traffic - it emails IM transcripts to a mailbox called journalmailbox_IM

2. journalmailbox_IM is an ordinary mailbox targeted by journal archiving in EV, going to Vaultstore_IM

3. When Vantage emails the IM transcripts to journalmailbox_IM, it spoofs the TO/FROM headers, so these transcripts appear as being sent to/from ordinary Exchange users instead of IM buddy names (this allows for easy searching in DA etc.)

4. We have another mailbox called journalmailbox_email where ordinary mail is journaled to, this is targeted by a separate journal archiving task in EV, going to Vaultstore_Email

5. So this is what happens. John Citizen's ordinary email is archived to Vaultstore_Email. John Citizen's IMs are archived to Vaultstore_IM. All good so far.

6. However, when Exchange 2003 receives an IM transcript emailed from Vantage, because the TO/FROM headers are spoofed and appear as an ordinary email, Exchange also journals this email, and therefore it winds up in Vaultstore_Email. This is the problem - we're getting IM transcripts archived to 2 vault stores.

Hope this is clearer! 

AndrewB's picture

until you tell me otherwise, i feel like i just have to repeat what i said at first. it sounds like you have the journalmailbox_IM sitting on a database in an information store in Exchange 2003 that is enabled for journaling. if you move it to its own IS and don't enable journaling, you'll solve the problem.

Andy Becker | Authorized Symantec Consultant | Trace3 | Symantec National Partner | www.trace3.com

goatboy's picture

the journalmailbox_IM is definitely not setting on a store enabled for journaling.

The problem is detailed in step 6 - when Vantage emails the journalmailbox_IM, the mail comes from, or is addressed to, an internal user due to header spoofing.

This means that email, besides arriving in the journalmailbox_IM which is targeted for journal archiving by EV, also gets captured by normal email archiving, as the sender (or receiver) themselves is in an Exchange store which is enabled for email journaling.

Let me know if this is still ambiguous, if so, I'll attach a flowchart to clarify. Thanks.

KarlW's picture

In this instance Exchange and EV are behaving correctly.  

You could use cutom rules for the journalmailbox_email such that the Actiance (IM) items are deleted rather than archived.  This obviously has an expense on journal throughput.  Alternatively the rule could archive the item to the IM archive 

What format does the email take that is sent to the journalmailbox_IM?  Is it a spoofed journal report or just a plain message?  If Actiance are spoofing envelope messages it may be possible to add an x-header to fool Exchange into thinking it has already been journaled.

Regards

Karl

 
SOLUTION
goatboy's picture

Thanks Karl. We already use custom filtering extensively, so stopping the IMs being archived to a specific vaultstore via custom filtering is a valuable idea, but already looked into that and don't think we have enough granularity in custom filtering for that to work.

The emails that Vantage sends to journalmailbox_IM are just plain messages. However, it does allow the ability to add custom headers to the outgoing emails. Can I use custom headers to help alleviate this issue?

KarlW's picture

It's been a while since I read  http://technet.microsoft.com/en-gb/library/aa997918(v=exchg.141).aspx - re-reading I'm not sure there's a work around here for Exchange 2003.  There is potential for Exchange 2010 but that unfortunately doesn't help you.

Regards

Karl