Thank you for the reply. You are correct when you say understanding how the email was sent would be helpful. That is exactly what I am trying to figure out.
I know that the user's logon account had been disable along with a password change. The other parties involved said they had no contact with the individual. All admin passwords were changed and a review of existing accounts was performed. No rogue accounts were found.
I have found some info regarding mail forwarding and Message Tracking logs. Mail send by end-user created mailbox rules show up in the Message Tracking logs as "MAILBOXRULE" in the SOURCE field.
Email that underwent some form of mail routing are identified as "ROUTING" in the SOURCE field.
Messages that are handled by the use of the alternateRecipient, are identified by a "REDIRECT" event in the message tracking log.
Email sent by the transport rule can be identified in the Application event log, if and only if the system has been set to record transport rules.
Does anyone know what file contains Exchange rules and actions?
↧