none
Incoming Mail intended for one recipient recieved by another recipient?

    Question

  • Dear colleges,

    I need your help on this one because my troubleshooting got me nowhere.

    The situation:

    Sender outside of our organization sent us one E-Mail which was supposed to be received by Recipient A, but instead gets received by Recipient B. So A never got the E-Mail, but B which does not have any connection with A gets the E-mail. We are currently in the process of migration from EX 2010 to 2016 and so far the mailboxes are 95% finished but still on 2010, SCP is on 2016. Incoming mail goes first through 2010 and 2010 Server forwards the mail to 2016 Server DAG. We use Trendmicro IMSVA for scanning our E-Mails and XiTrust for encryption of our E-Mails.

    A and B do not have any mailbox delegation set between them.

    E-Mail Properties:

    Received: from mx01.OURCOMPANY.com (IP) by OURSERVER.domain
      (10.6.100.88) with Microsoft SMTP Server id 14.3.361.1; Thu, 8 Mar 2018
      08:55:23 +0100
     Received: from mx01.OURCOMPANY.com (unknown [127.0.0.1]) by IMSVA
      (Postfix) with ESMTP id C18054E070 for <RECIPIENTA@OURCOMPANY.com>;
      Thu,  8 Mar 2018 08:55:22 +0100 (CET)
     Received: from mx01.OURCOMPANY.com (unknown [127.0.0.1]) by IMSVA
      (Postfix) with ESMTP id 9AF334E06F for <RECIPIENTA@OURCOMPANY.com;
      Thu,  8 Mar 2018 08:55:22 +0100 (CET)
     Received: from SENDER@Email.com (unknown [IP OMMITED]) by
      mx01.OURCOMPANY.com (Postfix) with ESMTPS for
      <RECIPIENTA@OURCOMPANY.com; Thu,  8 Mar 2018 08:55:22 +0100 (CET)
     Received: from GT-EXCHANGE2010.SENDER.LOCAL
      ([fe80::4155:dc72:973d:c0c4]) by GT-EXCHANGE2010.SENDER.LOCAL
      ([fe80::4155:dc72:973d:c0c4%16]) with mapi id 14.02.0387.000; Thu, 8 Mar 2018
      08:54:48 +0100
     From: SENDER <SENDER@Email.com>
     To: "'RECIPIENTA@OURCOMPANY.com'"
     <RECIPIENTA@OURCOMPANY.com>
     Subject: Question
     Thread-Topic: Question
     Thread-Index: AdO2Hxh+GAU/A=
     Date: Thu, 8 Mar 2018 07:54:48 +0000
     Message-ID: <SENDER@Email.com>
     References: <1598.124201.152043JavaMail.MAIL ENCRYPTING SERVER$@MAIL ENCRYPTING SERVER>
      <SENDER@Email.com>
     In-Reply-To: <SENDER@Email.com>
     Accept-Language:en-US
     Content-Language: en-US
     X-MS-Has-Attach: yes
     X-MS-TNEF-Correlator:
     x-originating-ip: [10.0.1.37]
     Content-Type: multipart/related;
     boundary="_007_0C34459E615A904196413F18F391D80GTEXCHANGE2010g_";
     type="multipart/alternative"
     MIME-Version: 1.0
     X-TM-AS-GCONF: 00
     X-TM-AS-Product-Ver: IMSVA-9.1.0.1631-8.2.0.1013-23706.005
     X-TM-AS-Result: No--19.100-4.5-31-10
     X-imss-scan-details: No--19.100-4.5-31-10
     X-TM-AS-User-Approved-Sender: No
     X-TM-AS-User-Blocked-Sender: No
     X-TMASE-Version: IMSVA-9.1.0.1631-8.2.1013-23706.005
     X-TMASE-Result: 10--19.100400-10.000000
     X-TMASE-MatchedRID: OoEa6u7Uk...
     X-IMSS-DKIM-White-List: No
     X-TMASE-SNAP-Result: 1.821001.0001-0-1-12:0,22:0,33:0,34:0-0
     Return-Path: SENDER@Email.com
     X-MS-Exchange-Organization-AuthSource: OURSERVER.domain
     X-MS-Exchange-Organization-AuthAs: Anonymous
     X-EXCLAIMER-MD-CONFIG: ba9bbaa9-6f85-4be2-a9d9-b5432a15d57f
     X-MS-Exchange-Organization-AVStamp-Mailbox: SMEXtG}w;1380100;0;This mail has
      been scanned by Trend Micro ScanMail for Microsoft Exchange;
     X-MS-Exchange-Organization-SCL: 0

    In Exchange 2010 Tracking logs explorer I could not find anything that could point me to the cause of the issue. There is this one thing where I get a defer message:

    But here the "EventData" field is empty, I tried the command on 2016 but did not get the result. I

    Is there another way to take a look why did this situation happen?


    Thank you,





    • Edited by Tonito Dux Wednesday, March 14, 2018 7:35 AM
    Wednesday, March 14, 2018 7:34 AM

All replies

  • I would look at what transport rules are in place if any on both 2010 and 2016. Check for inbox rules on recipient A. But from what you have sent through it looks like a transport agent
    Wednesday, March 14, 2018 11:04 AM
  • Hi Moisis,

    thank you for your answer, we have six rules but i did not check them in detail because i always thought that then ALL of the e-mails would be delivered to recipient B. Then we would immediately know that the T.R. is to blame.

    Will report back after checking,

    Wednesday, March 14, 2018 11:14 AM
  • Hi Tonito

    Message headers and message tracking should give us an answer.

    Request you to share the result of both (headers from original message). Mostly, it's because of either transport rules, Inbox rule, or forwarding set on mailbox properties under Delivery options.


    AkashG || For any further queries, please mark an email to akash.g.88@outlook.com ||

    Wednesday, March 14, 2018 11:59 AM
  • Hi Akash,

    message header is provided in the first post, dont know how you have missed it :)

    Wednesday, March 14, 2018 12:11 PM
  • The headers dont have much info (if this is everything).
    Can you run message tracking using messageid in headers | fl and share the complete result 

    AkashG || For any further queries, please mark an email to akash.g.88@outlook.com ||

    Wednesday, March 14, 2018 12:20 PM
  • The E-mail header is complete, i have only changed the real e-mal address and server information for privacy.

    Wednesday, March 14, 2018 1:07 PM
  • Anybody?
    Thursday, March 15, 2018 8:52 AM
  • Hi,

    Agree with Moisis, it seems like a redirect transport rule or inbox rule causes the issue. It is necessary to confirm it with the email admin as soon as possible.

    Besides, we need to get the detailed information of the message tracking log by running the following command, please don't cover all the recipient address information, just replace the users' real name with userA and userB.

    Get-MessageTrackingLog -Sender <SenderAddress> -MessageSubject <Subject> | fl


    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 16, 2018 9:30 AM
    Moderator
  • Hi Manu,

    thank your for your help. I am the E-Mail admin so I am able to help with guidance from your and others.

    This is the output of the command:

    RunspaceId              : c6c0aae5-dd5a-45d4-934d-dbb8ffc394d1
    Timestamp               : 08.03.2018 08:55:23
    ClientIp                : 10.5.2.133
    ClientHostname          : mx01.company.com
    ServerIp                : 10.6.100.88
    ServerHostname          : SERVER
    SourceContext           : 08D57484050B2F4A;2018-03-08T07:55:23.430Z;0
    ConnectorId             : SERVER\Default SERVER
    Source                  : SMTP
    EventId                 : RECEIVE
    InternalMessageId       : 6956150
    MessageId               : <0C34459E615A9041964EDA61EC3613F18F391D80@GT-EXCHANGE2010.SENDERSERVER.local>
    Recipients              : {userA@email.com}
    RecipientStatus         : {}
    TotalBytes              : 44288
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : AW: Anfrage
    Sender                  : sender@email.com
    ReturnPath              : sender@email.com
    MessageInfo             : 00A: NTS:
    MessageLatency          :
    MessageLatencyType      : None
    EventData               : {[FirstForestHop, SERVER.domain.intra]}

    RunspaceId              : c6c0aae5-dd5a-45d4-934d-dbb8ffc394d1
    Timestamp               : 08.03.2018 08:55:23
    ClientIp                :
    ClientHostname          : SERVER
    ServerIp                :
    ServerHostname          :
    SourceContext           :
    ConnectorId             :
    Source                  : AGENT
    EventId                 : RECEIVE
    InternalMessageId       : 6956150
    MessageId               : <0C34459E615A9041964EDA61EC3613F18F391D80@GT-EXCHANGE2010.SENDERSERVER.local>
    Recipients              : {dmsmailjournal@domain.intra}
    RecipientStatus         : {}
    TotalBytes              : 44288
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : AW: Anfrage
    Sender                  : sender@email.com
    ReturnPath              : sender@email.com
    MessageInfo             :
    MessageLatency          :
    MessageLatencyType      : None
    EventData               : {[RecipientType, Bcc]}

    RunspaceId              : c6c0aae5-dd5a-45d4-934d-dbb8ffc394d1
    Timestamp               : 08.03.2018 08:55:23
    ClientIp                :
    ClientHostname          : SERVER
    ServerIp                :
    ServerHostname          :
    SourceContext           : Transport Rule Agent
    ConnectorId             :
    Source                  : AGENT
    EventId                 : DEFER
    InternalMessageId       : 6956150
    MessageId               : <0C34459E615A9041964EDA61EC3613F18F391D80@GT-EXCHANGE2010.SENDERSERVER.local>
    Recipients              : {userA@email.com, dmsmailjournal@domain.intra}
    RecipientStatus         : {, }
    TotalBytes              : 44288
    RecipientCount          : 2
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : AW: Anfrage
    Sender                  : sender@email.com
    ReturnPath              : sender@email.com
    MessageInfo             : 08.03.2018 08:55:23
    MessageLatency          :
    MessageLatencyType      : None
    EventData               :

    RunspaceId              : c6c0aae5-dd5a-45d4-934d-dbb8ffc394d1
    Timestamp               : 08.03.2018 08:55:25
    ClientIp                :
    ClientHostname          : SERVER
    ServerIp                :
    ServerHostname          : SERVER
    SourceContext           : 08D57484050B2F4B;2018-03-08T07:55:25.801Z;0
    ConnectorId             :
    Source                  : STOREDRIVER
    EventId                 : DELIVER
    InternalMessageId       : 6956150
    MessageId               : <0C34459E615A9041964EDA61EC3613F18F391D80@GT-EXCHANGE2010.SENDERSERVER.local>
    Recipients              : {dmsmailjournal@domain.intra}
    RecipientStatus         : {}
    TotalBytes              : 45335
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : AW: Anfrage
    Sender                  : sender@email.com
    ReturnPath              : sender@email.com
    MessageInfo             : 2018-03-08T07:55:23.477Z;SRV=OURSERVER.domain.intra:TOTAL=2|QS=1
    MessageLatency          : 00:00:02.4180000
    MessageLatencyType      : EndToEnd
    EventData               : {[MailboxDatabaseName, serviceusers]}

    RunspaceId              : c6c0aae5-dd5a-45d4-934d-dbb8ffc394d1
    Timestamp               : 08.03.2018 08:55:26
    ClientIp                :
    ClientHostname          : SERVER
    ServerIp                :
    ServerHostname          : SERVER
    SourceContext           : 08D57484050B2F4C;2018-03-08T07:55:25.801Z;0
    ConnectorId             :
    Source                  : STOREDRIVER
    EventId                 : DELIVER
    InternalMessageId       : 6956150
    MessageId               : <0C34459E615A9041964EDA61EC3613F18F391D80@GT-EXCHANGE2010.SENDERSERVER.local>
    Recipients              : {userA@email.com}
    RecipientStatus         : {}
    TotalBytes              : 45335
    RecipientCount          : 1
    RelatedRecipientAddress :
    Reference               :
    MessageSubject          : AW: Anfrage
    Sender                  : sender@email.com
    ReturnPath              : sender@email.com
    MessageInfo             : 2018-03-08T07:55:23.477Z;SRV=OURSERVER.domain.intra:TOTAL=2|QS=1
    MessageLatency          : 00:00:02.6360000
    MessageLatencyType      : EndToEnd
    EventData               : {[MailboxDatabaseName, DB01], [DatabaseHealth, -1]}

    DMS Journal is the system we use for journaling.

    These two users are not connected, only this one e-mail appeard at userB mailbox. All other messages were delivered normally.

    Thanks,


    • Edited by Tonito Dux Friday, March 16, 2018 10:04 AM
    Friday, March 16, 2018 10:01 AM
  • Is it possible that UserC has full Mailbox permission to UserA and UserB? Maybe UserC move the mail via drag&drop from UserA Mailbox to UserB Mailbox. Nothing from the mesage tracking indicates that there is a mailflow issue. 
    Friday, March 16, 2018 10:22 AM
  • Hi Joerg,

    I would have never thought of that - i have to check. Then i will report back here.

    Thanks,

    Friday, March 16, 2018 10:26 AM
  • From the server side - all clear, not userA or userB have somebody with Full Access permission.
    Friday, March 16, 2018 10:33 AM
  • Hi,

    Since there is not a record related to recipient B in message tracking log, we should check if there is a transport rule or inbox rule as follows:


    If there is no related rules, we could move the mailbox to another DB then recreate the Outlook profile.

    You are welcome to send the completed message tracking log to: ibsexc@microsoft.com.

    Regards,

    Manu Meng


    Please remember to mark the replies as answers if they helped. If you have feedback for TechNet Subscriber Support, contact tnsf@microsoft.com.

    Click here to learn more. Visit the dedicated forum to share, explore and talk to experts about Microsoft Teams.

    Friday, March 23, 2018 1:39 AM
    Moderator
  • Another possibility is that userA as additional forwarding or rules in their mailbox? You could check with something like this from Exchange Management Shell:

    $FilePath = "C:\Temp\ruledata.csv"

    [array]$Users = Get-Mailbox usera@domain.com foreach ($User in $Users) { $InboxRules = Get-InboxRule -Mailbox $User.PrimarySmtpAddress foreach ($Rule in $InboxRules) { If ($Rule.Enabled -eq $True -and $Rule.ForwardAsAttachmentTo) { $RuleData = """" + $User.PrimarySmtpAddress + """" + "," + """" + "ForwardAsAttachmentTo" + """" + "," + """" + $Rule.ForwardAsAttachmentTo -join ";" + """" + "," + """" + "Possible mail forwarding exfiltration. Message forwarded to domain not in Exchange Online." + """" $RuleData | Out-File -FilePath $FilePath -Append } If ($Rule.Enabled -eq $True -and $Rule.ForwardTo) { $RuleData = """" + $User.PrimarySmtpAddress + """" + "," + """" + "ForwardTo" + """" + "," + """" + $Rule.ForwardTo -join ";" + """" + "," + """" + "Possible mail forwarding exfiltration. Message forwarded to domain not in Exchange Online." + """" $RuleData | Out-File -FilePath $FilePath -Append } If ($Rule.Enabled -eq $True -and $Rule.RedirectTo) { $RuleData = """" + $User.PrimarySmtpAddress + """" + "," + """" + "RedirectTo" + """" + "," + """" + $Rule.RedirectTo -join ";" + """" + "," + """" + "Possible mail forwarding exfiltration. Message forwarded to domain not in Exchange Online." + """" $RuleData | Out-File -FilePath $FilePath -Append } } }




    Tuesday, August 14, 2018 11:45 AM