Meeting Request Mystery

PiotrIrPiotrIr Member Posts: 236
I have customer who has exchange 2010 environment with Outlook 2010 and 2007.
Today I was asked to investigate following issue.
Manager sent Meeting Request to three external customers using Outlook 2010. After couple of hours he got Acceptation from internal user called Security for the request as well as from other invited people. The problem is he has never sent invitation to Security user so he asked me to check what had happened. I expected easy issue, where user just made simple mistake adding accidently additional address, what I was going to improve using logs. However I was wrong…
My troubleshooting method.
1. Checked original meeting request e-mail and it was really addressed only to external users, no security e-mail address included. Just in case looked to Delivery report which confirmed this.
2. Looked to Security mailbox and was able to see reply for invitation and record in calendar where apart of all external people as required, the problematic user was included as optional.
3. Compared original message which was sent to three external users and reply to it made by security, a part of time (around 3 hours delay) no difference at all.
4. Checked logs on Exchange server and can see invitation sent to three external addresses but not sent to Security. I can see reply but not message which should be delivered. Even more, the security mailbox hasn’t got any e-mail that day.
5. I looked at calendar records on both calendars and Security was as Optional person.
6. Just in case I checked both mailboxes for hard and soft deleted items and wasn’t able to find invitation.
7. There is no relation between Manager Calendar and Security Calendar, they don’t share them or open.
I tried to find any reasonable explanation for this issue, even possible way how it could happened and wasn’t able. Is it possible to send invitation other way than e-mail? How it could possibly happened?
Could you advise me how to resolve the issue please? Manager really wanders if his invitation is broadcasted over network to people who shouldn’t get them.

Comments

  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    I will throw something out just for kicks...

    Is security set as the admin of a resource that was booked?
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    Was it a one time occurence or does it happen everytime?
  • PiotrIrPiotrIr Member Posts: 236
    Robert,
    Thank you for your reply,
    It wasn’t resource it was a meeting.
  • PiotrIrPiotrIr Member Posts: 236
    Thank you for reply Phoeneous

    It happens once so far. My problem is, I don’t know even know how repeat the situation - tried to set appointment in different ways and always was able to find it in logs as an e-mail…
    Any suggestion?
  • jibbajabbajibbajabba Member Posts: 4,317 ■■■■■■■■□□
    Is Security mailbox set as forwarder in the Delivery Options of any of the original user ? Does security have access over the mailboxes and is any of the mailboxes added to security's Outlook and (s)he accidentally accepted although (s)he is supposed to monitor mails only ?
    My own knowledge base made public: http://open902.com :p
  • PiotrIrPiotrIr Member Posts: 236
    Hi Jibbajabba,
    Thank you for your reply.
    1. Security is not set as forwarder in delivery options. But I believe even if it would be, it would show in logs - the message was forwarded to Security mailbox.
    2. I checked this as well and Manager’s mailbox or any other is not on security Outlook.
    3. There are also no transport rules on Exchange or Outlook
    4. Security user has no access rights to Manager’s Mailbox or Calendar
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Could manger had delegated his/her calendar to security accidentally?

    Also do you have a mail proxy outside Exchange that you can inspect? At broker-dealers, it is common to have survaillence which watch emails and do archival and forwarding of emails. DLP does similar too. Maybe its DLP. Do you have DLP?
  • PiotrIrPiotrIr Member Posts: 236
    Paul,
    Many thanks for reply.

    Well, this is kind of option. But can you imagine the Manager accidently delegate calendar to security and then accidently remove delegation. Thank Security accidently opens the calendar and later close it? He told me he hasn’t done anything unusual apart of sending meeting invitation to external users.
    Unless you know how it could be done, to be honest I don’t use meeting option in Outlook to often so I may be wrong.
    There is hosted anti spam and antivirus solution – Mesagelabs on the network. However I believe if the e-mail would go to proxy and then somehow was redirected to security mailbox, it would be recorded on Exchange server anyway. Just in case I checked logs from Messaelabs after your suggestion but nothing there. Basically there are no too many emails on Security mailbox as it is generic and used very rarely so I was able to track all e-mails received and send by it in last month. I found answer for invitation but no invitation e-mail at all.
    We don’t have DLP.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    You're right. The likelihood that someone doesnt remember delegating their mailbox is low.

    What about the possibility that the inbound replies from the external contacts were treated by MessageLabs as suspicious and MessageLabs forwarded the message to Security mailbox.
  • PiotrIrPiotrIr Member Posts: 236
    Just in case I checked this and no security e-mail was on Messagelabs control panel. I know that the e-mail name sound quite serious but it is not. It just used by security guys to login to one PC and sometimes send e-mails, very rarely.
    But I also believe (could you maybe confirm this) all send and received e-mails should be recorded in Exchange Logs. And there is no e-mail to security with this invitation at all (only reply) so maybe there was other way to do this? How you can schedule meeting for somebody and don’t use e-mail to send invitation? Is it possible?
    Microsoft bug? The Manager is quite afraid about the issue and I can understand this.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    Have you engaged the security guys with access to the mailbox? Maybe they know.

    I am not an Exchange SME, so I dont know much about its internals and logging. But I do use the calendar function a bit. My own calendar is delegated to my secretary and a lot of time she can just create, accept, and delete meetings to manage my schedule.

    So another thought, does the manager have admin support for his calendar. Maybe, the admin is part of security group and accepted the meeting but did it from wrong primary mailbox. Just a random guess, and I'm not sure if thats even possible.

    It still seems like MessageLabs is a possible culprint.
  • PiotrIrPiotrIr Member Posts: 236
    Paul,

    Any suggestion is important as I stuck, so thank you for all you answers. I double checked and unfortunately there are neither delegation rights nor access rights from manager to security or security to manager resources. They are also only standard domain users.
    I wouldn’t suspect Mesagelabs as any e-mail delivered or not should be recorded on both systems and there are no logs at all.
    My problem is to explain how it possibly could happen and I’m not able….
  • phoeneousphoeneous Go ping yourself... Member Posts: 2,333 ■■■■■■■□□□
    Not sure if this has been said already but, have you asked the Security mailbox owners if they've configured something?
  • PiotrIrPiotrIr Member Posts: 236
    It is good point, however problem is, this PC is used for many other people in organization with Security account. So first I would need to know who was using the machine two weeks ago at 5:50 p.m.
    Obviously if I would not have any other choice, I will try it but would prefer to avoid this.
  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    REMOVED UNNECESSARY QUOTED REPLY FROM PREVIOUS POST

    So the account should actually be named Insecurity.
  • PiotrIrPiotrIr Member Posts: 236
    I would laugh as well, if I wouldn’t need to explain the issue to the manager…
  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    Is it possible that one of the people who received it forwarded it to the Security account? Although you said you checked for the invitation, so this seems improbable.
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    One other thought - does the security mailbox have auto calendar invite enabled. Maybe the manager typoed an extra invite attendee and the outlook autoaddress completion feature found the security mailbox in the GAL as the closest match.

    Maybe you can try that yourself and see if you see the same log messages.
  • PiotrIrPiotrIr Member Posts: 236
    Robert, unfortunately I believe it is impossible as it would be recorded in tracking logs on Exchange.
  • PiotrIrPiotrIr Member Posts: 236
    Paul, could you give me more details about auto invite? I can't find option like that...
  • paul78paul78 Member Posts: 3,016 ■■■■■■■■■■
    It wasn't an auto-invite. It was auto-complete. I was thinking that maybe the manager typo-ed an extra attendee on the calendar and that the security mailbox was set to auto-accept invites. If the manager, started to type "sec" or even "s" - I was thinking that when he sent the invite, outlook did an auto complete on the invite and sent it to the security mailbox. If the security mailbox was set to auto-accept, the manager would have received a calendar accept from the mailbox.

    See these 2 links for a bit more info:

    About AutoComplete name suggesting - Outlook - Office.com
    Automatically process meeting requests - Outlook - Office.com
  • PiotrIrPiotrIr Member Posts: 236
    Paul,
    This would make perfect sense, the only problem is I would see it in Exchange track logs (tested) but I cannot see anything.
  • RobertKaucherRobertKaucher A cornfield in OhioMember Posts: 4,299 ■■■■■■■■■■
    I think it is time that you take this to the TechNet forums and see if you can get some MVPs and MCMs looking into the issue. It would be a good idea to link back to this thread to give them an idea of the things others have suggested and to know what you have tried.
  • PiotrIrPiotrIr Member Posts: 236
    Robert,

    I have already done this and unfortunately not too much help so far.
Sign In or Register to comment.