none
Journaling and BCC

    Question

  • Hello,

    In Exchange 2010, BCC recipient information was limited to the journal report and expunged from the attached email's header by Exchange if EWS was used for message retrieval.

    Apparently, this has changed with recent versions of Exchange 2013 and Exchange 2016. Now, not only the journal report but also the attached email's header contains the full BCC recipient list. This is true for standard (database) journaling as well as for journaling rules.

    If this change is intentional, it would render the journaling report pretty much obsolete because the full sender and recipient information is already part of the attached "original" email itself. But worse, it could pose a security threat for any archiving solution that use the information in the journal report to get senders and recipients and then archive the attached email as is. BCC information would be disclosed to recipients of Exchange-internal mails that way.

    Any thoughts? Thanks!

    Björn

    Thursday, March 17, 2016 8:39 AM

All replies

  • Hi Bjorn,

    Base on my knowledge, there isn’t much difference between journaling functionality in Exchange 2013 and Exchange 2010, the Bcc recipient information will not be limited to appear in a journal report in exchange 2010, the Extended journal report fields will include Bcc information also.

    More details about Journal reports for your reference:

    Understanding Journal Reports

    Extended fields in Exchange 2010 journal reports provide more recipient details, if available. The To, Cc, and Bcc fields in the journal report let you view how recipients are addressed in the original message.

    Best regards,


    Please remember to mark the replies as answers if they help, and unmark the answers if they provide no help. If you have feedback for TechNet Support, contact tnmff@microsoft.com.

    Niko Cheng
    TechNet Community Support

    Friday, March 18, 2016 7:47 AM
    Moderator
  • Hi Niko,

    with regard to the journal reports' body, BCC is expected both in Exchange 2010 and 2013 as extended field as you've described. My question was regarding the email attached to the report (the copy of the original email).

    I’ve done a little more analysis in the meantime. By enabling pipeline tracing on the Exchange 2010 and 2013 I could see that, apart from some differences due to the architectural changes from Exchange 2010 to 2013, the email attached to the journal report contains BCC information in both versions when extracted by pipeline tracing. Only when retrieving the full journal report (including attachment) through EWS as MIME is the BCC information stripped from the attachment in 2010 while retained in 2013. It seems to me that either the MIME conversion routine or the header firewall has changed between versions in this regard.

    Kind regards,

    Björn

    Monday, March 21, 2016 3:36 PM