locked
Emails change to read without user opening or reading. RRS feed

  • Question

  • Have a user whose emails seem to randomly change to read. 

    User has other emails that appear to be changing to the read status on their own.

    Any ideas?  User doens't have a mobile device, does not use OWA and only uses one computer.  I had her keep outlook closed one morning and only use OWA to check for rules and it appears that the issue still occured.

    For at least one email, the user forwarded the message to me and it came into my mailbox as read.

    I need to rule out another user or system accessing the mailbox.

    I've gone through the whitepaper on mailbox auditing with Exchange 2007 but I haven't found how to filter the audit information for a specific mailbox. 

     

    Wednesday, September 5, 2012 8:16 PM

Answers

  • Either someone is accessing or it could be a rule or third party app. I would start with ruling out another user.

    Message Access Auditing
    http://technet.microsoft.com/en-us/library/ee331009(EXCHG.80).aspx

    When Message Access Auditing is enabled, events that resemble the following are logged:

    Event ID:
     10102
     
    Severity:
     Informational
     
    Facility:
     AccessAuditing
     
     
     The message Internet_Message_ID in Mailbox Mailbox_Where_The_Message_Is_Saved was opened by user User_Who_Authenticated_To_The_Information_Store
     
    Folder:
     Folder_Name
     
    Accessing User:
     LegacyDN_Of_The_User_Who_Opened_The_Message
     
    Mailbox:
     LegacyDN_Of_The_Mailbox
     
    Administrative Rights:
     Flag_That_Indicates_Whether_Administrator_Rights_Were_Used_To_Open_The_Folder
     
    Identifier:
     Unique_Identifier
     
    Client Information (if Available):
     
     
    Machine Name:
     Computer_Name
     
    Address:
     Address_Composed_By_The_Client
     
    Process Name:
     Process_Name
     
    Process Id:
     Process_ID_(PID)
     
    Application Id:
     Application_ID


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, September 5, 2012 8:45 PM
  • I'd check the permissions on the mailbox, and then run get-logonstatistics on everyone who's got permissions when you notice it happening.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Wednesday, September 5, 2012 9:20 PM

All replies

  • Either someone is accessing or it could be a rule or third party app. I would start with ruling out another user.

    Message Access Auditing
    http://technet.microsoft.com/en-us/library/ee331009(EXCHG.80).aspx

    When Message Access Auditing is enabled, events that resemble the following are logged:

    Event ID:
     10102
     
    Severity:
     Informational
     
    Facility:
     AccessAuditing
     
     
     The message Internet_Message_ID in Mailbox Mailbox_Where_The_Message_Is_Saved was opened by user User_Who_Authenticated_To_The_Information_Store
     
    Folder:
     Folder_Name
     
    Accessing User:
     LegacyDN_Of_The_User_Who_Opened_The_Message
     
    Mailbox:
     LegacyDN_Of_The_Mailbox
     
    Administrative Rights:
     Flag_That_Indicates_Whether_Administrator_Rights_Were_Used_To_Open_The_Folder
     
    Identifier:
     Unique_Identifier
     
    Client Information (if Available):
     
     
    Machine Name:
     Computer_Name
     
    Address:
     Address_Composed_By_The_Client
     
    Process Name:
     Process_Name
     
    Process Id:
     Process_ID_(PID)
     
    Application Id:
     Application_ID


    James Chong MCITP | EA | EMA; MCSE | M+, S+ Security+, Project+, ITIL msexchangetips.blogspot.com

    Wednesday, September 5, 2012 8:45 PM
  • Thanks for the reply.  This what I've told the user, but when I got the email and it came in as read, I had to admit there is something unusual.

    I've been reading the technet articles and exhangeserver.org. So, looking at auditing with thousands of mailboxes, it's difficult to monitor a single mailbox.

    Wednesday, September 5, 2012 8:52 PM
  • I'd check the permissions on the mailbox, and then run get-logonstatistics on everyone who's got permissions when you notice it happening.

    [string](0..33|%{[char][int](46+("686552495351636652556262185355647068516270555358646562655775 0645570").substring(($_*2),2))})-replace " "

    Wednesday, September 5, 2012 9:20 PM
  • Appreciate both...

    Looks like Cisco Presence IM is the culprit.

    Thanks

    Tuesday, September 25, 2012 7:40 PM