Meeting Request Mystery

PiotrIr · June 2012

I have customer who has exchange 2010 environment with Outlook 2010 and 2007.
Today I was asked to investigate following issue.
Manager sent Meeting Request to three external customers using Outlook 2010. After couple of hours he got Acceptation from internal user called Security for the request as well as from other invited people. The problem is he has never sent invitation to Security user so he asked me to check what had happened. I expected easy issue, where user just made simple mistake adding accidently additional address, what I was going to improve using logs. However I was wrong…
My troubleshooting method.
1. Checked original meeting request e-mail and it was really addressed only to external users, no security e-mail address included. Just in case looked to Delivery report which confirmed this.
2. Looked to Security mailbox and was able to see reply for invitation and record in calendar where apart of all external people as required, the problematic user was included as optional.
3. Compared original message which was sent to three external users and reply to it made by security, a part of time (around 3 hours delay) no difference at all.
4. Checked logs on Exchange server and can see invitation sent to three external addresses but not sent to Security. I can see reply but not message which should be delivered. Even more, the security mailbox hasn’t got any e-mail that day.
5. I looked at calendar records on both calendars and Security was as Optional person.
6. Just in case I checked both mailboxes for hard and soft deleted items and wasn’t able to find invitation.
7. There is no relation between Manager Calendar and Security Calendar, they don’t share them or open.
I tried to find any reasonable explanation for this issue, even possible way how it could happened and wasn’t able. Is it possible to send invitation other way than e-mail? How it could possibly happened?
Could you advise me how to resolve the issue please? Manager really wanders if his invitation is broadcasted over network to people who shouldn’t get them.

RobertKaucher · June 2012

I will throw something out just for kicks...

Is security set as the admin of a resource that was booked?

phoeneous · June 2012

Was it a one time occurence or does it happen everytime?

PiotrIr · June 2012

Robert,
Thank you for your reply,
It wasn’t resource it was a meeting.

PiotrIr · June 2012

Thank you for reply Phoeneous

It happens once so far. My problem is, I don’t know even know how repeat the situation - tried to set appointment in different ways and always was able to find it in logs as an e-mail…
Any suggestion?

jibbajabba · June 2012

Is Security mailbox set as forwarder in the Delivery Options of any of the original user ? Does security have access over the mailboxes and is any of the mailboxes added to security's Outlook and (s)he accidentally accepted although (s)he is supposed to monitor mails only ?

PiotrIr · June 2012

Hi Jibbajabba,
Thank you for your reply.
1. Security is not set as forwarder in delivery options. But I believe even if it would be, it would show in logs - the message was forwarded to Security mailbox.
2. I checked this as well and Manager’s mailbox or any other is not on security Outlook.
3. There are also no transport rules on Exchange or Outlook
4. Security user has no access rights to Manager’s Mailbox or Calendar

paul78 · June 2012

Could manger had delegated his/her calendar to security accidentally?

Also do you have a mail proxy outside Exchange that you can inspect? At broker-dealers, it is common to have survaillence which watch emails and do archival and forwarding of emails. DLP does similar too. Maybe its DLP. Do you have DLP?

PiotrIr · June 2012

Paul,
Many thanks for reply.

Well, this is kind of option. But can you imagine the Manager accidently delegate calendar to security and then accidently remove delegation. Thank Security accidently opens the calendar and later close it? He told me he hasn’t done anything unusual apart of sending meeting invitation to external users.
Unless you know how it could be done, to be honest I don’t use meeting option in Outlook to often so I may be wrong.
There is hosted anti spam and antivirus solution – Mesagelabs on the network. However I believe if the e-mail would go to proxy and then somehow was redirected to security mailbox, it would be recorded on Exchange server anyway. Just in case I checked logs from Messaelabs after your suggestion but nothing there. Basically there are no too many emails on Security mailbox as it is generic and used very rarely so I was able to track all e-mails received and send by it in last month. I found answer for invitation but no invitation e-mail at all.
We don’t have DLP.

paul78 · June 2012

You're right. The likelihood that someone doesnt remember delegating their mailbox is low.

What about the possibility that the inbound replies from the external contacts were treated by MessageLabs as suspicious and MessageLabs forwarded the message to Security mailbox.

PiotrIr · June 2012

Just in case I checked this and no security e-mail was on Messagelabs control panel. I know that the e-mail name sound quite serious but it is not. It just used by security guys to login to one PC and sometimes send e-mails, very rarely.
But I also believe (could you maybe confirm this) all send and received e-mails should be recorded in Exchange Logs. And there is no e-mail to security with this invitation at all (only reply) so maybe there was other way to do this? How you can schedule meeting for somebody and don’t use e-mail to send invitation? Is it possible?
Microsoft bug? The Manager is quite afraid about the issue and I can understand this.

paul78 · June 2012

Have you engaged the security guys with access to the mailbox? Maybe they know.

I am not an Exchange SME, so I dont know much about its internals and logging. But I do use the calendar function a bit. My own calendar is delegated to my secretary and a lot of time she can just create, accept, and delete meetings to manage my schedule.

So another thought, does the manager have admin support for his calendar. Maybe, the admin is part of security group and accepted the meeting but did it from wrong primary mailbox. Just a random guess, and I'm not sure if thats even possible.

It still seems like MessageLabs is a possible culprint.

PiotrIr · June 2012

Paul,

Any suggestion is important as I stuck, so thank you for all you answers. I double checked and unfortunately there are neither delegation rights nor access rights from manager to security or security to manager resources. They are also only standard domain users.
I wouldn’t suspect Mesagelabs as any e-mail delivered or not should be recorded on both systems and there are no logs at all.
My problem is to explain how it possibly could happen and I’m not able….

phoeneous · June 2012

Not sure if this has been said already but, have you asked the Security mailbox owners if they've configured something?

PiotrIr · June 2012

It is good point, however problem is, this PC is used for many other people in organization with Security account. So first I would need to know who was using the machine two weeks ago at 5:50 p.m.
Obviously if I would not have any other choice, I will try it but would prefer to avoid this.

RobertKaucher · June 2012

REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

So the account should actually be named Insecurity.

PiotrIr · June 2012

I would laugh as well, if I wouldn’t need to explain the issue to the manager…

RobertKaucher · June 2012

Is it possible that one of the people who received it forwarded it to the Security account? Although you said you checked for the invitation, so this seems improbable.

paul78 · June 2012

One other thought - does the security mailbox have auto calendar invite enabled. Maybe the manager typoed an extra invite attendee and the outlook autoaddress completion feature found the security mailbox in the GAL as the closest match.

Maybe you can try that yourself and see if you see the same log messages.

PiotrIr · June 2012

Robert, unfortunately I believe it is impossible as it would be recorded in tracking logs on Exchange.

PiotrIr · June 2012

Paul, could you give me more details about auto invite? I can't find option like that...

paul78 · June 2012

It wasn't an auto-invite. It was auto-complete. I was thinking that maybe the manager typo-ed an extra attendee on the calendar and that the security mailbox was set to auto-accept invites. If the manager, started to type "sec" or even "s" - I was thinking that when he sent the invite, outlook did an auto complete on the invite and sent it to the security mailbox. If the security mailbox was set to auto-accept, the manager would have received a calendar accept from the mailbox.

See these 2 links for a bit more info:

About AutoComplete name suggesting - Outlook - Office.com
Automatically process meeting requests - Outlook - Office.com

PiotrIr · June 2012

Paul,
This would make perfect sense, the only problem is I would see it in Exchange track logs (tested) but I cannot see anything.

RobertKaucher · June 2012

I think it is time that you take this to the TechNet forums and see if you can get some MVPs and MCMs looking into the issue. It would be a good idea to link back to this thread to give them an idea of the things others have suggested and to know what you have tried.

PiotrIr · June 2012

Robert,

I have already done this and unfortunately not too much help so far.

Meeting Request Mystery

Comments