Exchange’s Duplicate Detection vs. Completeness of Archive

Although Microsoft Exchange 2010 has no single instance store ability anymore and older versions did not have this feature enabled by default, the topic “duplicates” still seems to play a major role in Exchange. While running tests for an internal project, we discovered some interesting details about this, which probably most of us are not aware of.

As described under http://blogs.technet.com/b/exchange/archive/2004/07/14/183132.aspx Exchange actively prevents delivery of multiple “identical” emails to a mailbox. Unfortunately it is sufficient to reuse the same combination of message-id and date header to make Exchange believe in dealing with a duplicate message. It does not matter whether any other header lines or even the body content is different. Although the article is from 2004, we were still able to reproduce the behavior multiple times on our own Exchange 2010 server.

That means, if somebody wants to harm you, he just needs to send a harmless email followed by a one with compromising content that reuses the date header and message-id of the harmless mail. While you or your employees would probably claim to not having received the second email, the sender would definitely be able to proof the opposite.

As the above technique only affects deliveries to regular mailboxes, but is inactive when Exchange message journaling is used, we would like to point out that complete and lawful email archiving of your Exchange server requires usage of Microsoft Exchange’s journal feature. Not only due to the above behavior, archiving users’ mailboxes only may lead to an incomplete archive of your email communication

How to configure the journal feature of your Exchange and archive emails with MailStore Server afterwards, is described in detail at the appropriate sections of our Implementation Guides for  Exchange 2003, Exchange 2007, Exchange 2010 and Office 365.

If you have questions regarding this topic, our support team would be happy to assist you.

Sharing

Comments are closed.