Content Scanning Your Exchange Servers

Exchange administrators sometimes need to scan an Exchange 2000 Server mailbox or public folder Store for messages that contain specific content. For example, suppose your legal or human resources (HR) department requires you to produce all messages that a certain person sent or that contain a specific keyword. More likely, management might ask you to scan the Store for all instances of a particular attachment, find messages about a particular subject, or eradicate all traces of a classified or sensitive message that was distributed too widely by mistake. Exchange doesn't offer tools for doing these tasks, but you can adapt some of Exchange's built-in tools for various content-scanning purposes. Microsoft and third-party alternatives are also available that can make this job a little easier.

Look Who's Talking
The simplest monitoring task is tracking email sent to or from a particular user. To perform this task, you need to enable message tracking on your Exchange servers. In Exchange System Manager (ESM), open the Properties dialog box for each Exchange server and make sure Enable message tracking is selected. (If you also select Enable subject logging and display, you'll be able to search the tracking logs by message subject—a handy capability.) You must turn on message tracking for all your Exchange servers; otherwise, the tracking logs will contain gaps and make figuring out what actually happened to the messages you're tracking difficult. In addition, you'll need to use the Log file maintenance controls on the General tab to adjust the retention period for tracking logs. By default, Exchange keeps logs for only 7 days, so you can't search the Store for messages older than that. By increasing the log retention period, you can search older messages. However, be careful that you don't let the logs use up all your disk space.

Tracking logs are simple text files, so if you're handy with a scripting or programming language, you can easily write code to parse, search, or analyze log files in whatever way you require. Alternatively, an automated reporting tool, such as Quest Software's MessageStats, can do some of the analysis for you.

Monitoring Mailboxes
Sometimes you might need to monitor mail to and from an individual mailbox or a set of mailboxes. You can do this three ways. The first, and usually the easiest, is to grant another account—let's call it the inspection account—Send As and Receive As permissions on the mailbox so that the inspection account can open the mailbox and read the messages. To grant these permissions, launch the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in, right-click the account of the user whose mailbox you want to inspect, and select Properties. Click the Exchange Advanced tab. (If you don't see this tab, close the Properties dialog box, click the View menu, select Advanced, then reopen the Properties page.) Click Mailbox Rights. When the Permissions dialog box appears, use the Add button to grant Send As and Receive As permissions to the inspection account.

One problem with this approach is that whoever uses the inspection account must be careful not to leave any traces—users are likely to be unhappy if their mail clients show that their new messages have already been read. Be sure to set the inspection account's preview pane not to mark messages as read.

Return and delivery receipts, which Exchange generates by default when the sender requests them, cause another problem with this approach. Let's say that Alice sends Bob a message that contains a return receipt request and that Charlie is monitoring Bob's mailbox. When Charlie reads Alice's message, his client will return a receipt to Alice, who will then know that Charlie is inspecting Bob's account. To prevent this problem, either turn off return receipt handling in your mail client or use a third-party utility such as Grinning Shark Software's Watch Your Back!, which lets you control whether Microsoft Outlook generates receipts and which receipts it generates.

The second method of monitoring mailboxes is to use Exchange 2000's message journaling feature, which copies to a recipient mailbox or public folder all inbound and outbound messages for the mailboxes that are in a mailbox store. To turn on journaling, select the target message store in ESM and open its Properties dialog box. Select Archive all messages sent or received by mailboxes on this store, then use the associated Browse button to select the receiving mailbox or public folder.

The problem with the message journaling approach is that it's a per-database setting, so message journaling captures mail for all the mailboxes in the store, not just the target mailbox. The simplest solution to this problem is to create a new database, enable journaling for that database, then move the target mailboxes to the database. Be sure that the inspection mailbox or public folder has sufficient quota and disk space to hold the volume of email you expect.

The third method is to use a content-scanning product. For example, both Nemx Software's Power Tools for Exchange and CipherTrust's IronMail appliance let you journal all messages to and from particular users. However, content scanners might provide incomplete coverage. For example, an SMTP-based content scanner will have no way to catch messages sent from the target user to another mailbox on the same Exchange server—SMTP doesn't see those messages. If you decide to use such a product, be sure that it will catch all the messages you're interested in.

Keyword Searches
Judging by the number of questions I see online, many administrators are looking for the best way to scan an information store for messages that contain specified keywords. This requirement usually arises because a manager wants to know who's been leaking confidential data or sending inappropriate email. Exchange doesn't offer keyword-search functionality, but if you need to look for instances of a particular text string, you're not totally out of luck.

First, if you need to search only a few mailboxes, don't disregard Exchange's built-in content indexing feature. If you turn on full-text indexing for the mailbox database, searching is quite fast, and the indexing schedule is adjustable. To enable indexing for a mailbox store, right-click the store, choose Create Full-Text Index from the context menu, then open the store's properties dialog box and use the Full-Text Indexing tab to control the indexing properties.

Searching all mailboxes on a store or server is a bit more complicated. The familiar Exmerge tool can scan for messages that have specified Subject lines or attachment filenames and move all messages it finds to a .pst file. However, this approach has a couple of drawbacks. One problem is that because Exmerge moves the messages that meet the criteria, the corresponding users will know you're monitoring their mail unless you run Exmerge against a copy of the mail database. (If you're using Exmerge to sanitize a message store by removing messages that you know are virus-infected or otherwise undesirable, this behavior won't be a problem.) The other problem is that Exmerge doesn't scan the body of the message or its attachments. If you need to look inside the message, you'll need to use a content management scanner such as GFI MailEssentials for Exchange/SMTP or Clearswift's MIMEsweeper. Other products, such as KVS's Enterprise Vault and IXOS SOFTWARE's IXOS-eCONserver, let you use indexed searches to find messages that contain inappropriate text or keywords.

On-the-Fly Content Scanning
Exchange administrators sometimes also need to scan all inbound or outbound content. You might already be using perimeter scanning to catch viruses, but perimeter scanning can also be a useful way to ensure that no one is sending out sensitive data, harassing email messages, and the like.

Exchange has no built-in content-scanning tools (unless you count the antivirus API—AVAPI, which is designed for virus scanning), but a wealth of third-party tools provide content scanning with or without virus scanning and keyword filtering. (To learn about some such tools, see Buyer's Guide, "Exchange Server Antivirus Software," February 2002, http://www.winnetmag.com, InstantDoc ID 23564.) These products range from standalone appliances such as the IronMail (see "CipherTrust's IronMail," March 2003, InstantDoc ID 37931) and freestanding products such as Trend Micro's InterScan VirusWall to products such as Power Tools for Exchange, which you install on your Exchange server. When you evaluate one of these products, consider what it lets you do with mail that matches your criteria, as well as what kinds of reporting features it includes. Some products let you define policies that control which kinds of mail can come and go; be sure that the product you select lets you adjust the keyword list easily and change policies on the fly. Download an evaluation version of the product you're interested in and test it on a server to make sure it behaves as advertised.

A Bit of Advice
Users tend to become testy if they find out their email is being monitored. I always recommend that mail-system administrators refuse to monitor or scan email unless they have a written request from a properly authorized supervisor or company officer. In addition, you probably shouldn't do the monitoring yourself. Set up the capability, then give access to whoever requested the monitoring. These actions help insulate you from knowledge of whatever the "bad" messages contain—a prudent posture in today's litigious climate. I'm not a lawyer, however, so consult your own, or your firm's, attorney for more detailed legal advice if you need it. Seeking legal advice is particularly important for international companies: Laws in different countries vary, so monitoring that's legal in Australia might not be legal in Austria or Argentina.