locked
Blocking rules in transport agent exchange 2010 RRS feed

  • Question

  • Hi,

    We want to check some malicious rule through transport agent and block it if they are unintended.

    E.g. we would like to block specific rule as mentioned below:

    A is sending an email to B and now C has set a rule to get BCC or diversion of email to C i.e. communication between A and B is getting diverted to C.

    Now we don’t want to execute such rule is there any way I can block or have some way to know in my transport agent that mail is going to unintended recipients or like in journaling we come to know looking at header that mail is diverted to some recipient, is there any way in agent I can know it?

    I am using void OnRoutedMessageHandler(RoutedMessageEventSource source, QueuedMessageEventArgs args) router agent.

    Regards,

    Friday, February 1, 2013 11:58 AM

Answers

  • I don't believe you would be able to do this because there would be no difference between a mail that was legitimately addressed this way to one and one that was changed by a transport Rule. Transport Rules can only be created by administrators and if you don't trust you administrators then this is going to create a lot more fundamental problems. In cases where you want to track Administrator miss use you need to have the admin logs being written to an unreputable source then you track based on that data (this is they way things like PCI work in the payment card industry, you do this also because it then gives you evidence and a legal framework to prosecute the administrator in that case). 

    Cheers
    Glen

    • Marked as answer by ABBhagwat Monday, February 4, 2013 5:51 AM
    Monday, February 4, 2013 12:09 AM

All replies

  • I don't believe you would be able to do this because there would be no difference between a mail that was legitimately addressed this way to one and one that was changed by a transport Rule. Transport Rules can only be created by administrators and if you don't trust you administrators then this is going to create a lot more fundamental problems. In cases where you want to track Administrator miss use you need to have the admin logs being written to an unreputable source then you track based on that data (this is they way things like PCI work in the payment card industry, you do this also because it then gives you evidence and a legal framework to prosecute the administrator in that case). 

    Cheers
    Glen

    • Marked as answer by ABBhagwat Monday, February 4, 2013 5:51 AM
    Monday, February 4, 2013 12:09 AM
  • Hi Glen,

    I also debugged the agent and tried to find out if I could get something that would tell me that this email is coming from exchange rule but I didn't find anything. Thanks for sharing the information. Your explanation perfectly matches my scenario. We have already admin logs enabled, but just wanted to check if we can have any more check.

    Regards,

    Amit

    Monday, February 4, 2013 5:51 AM