Journal per Domains or User    Download Script

Message journaling in Exchange has been available since version 5.5 and is now called message Archiving in Exchange 2000. There are situations where enabling archiving on every message on a server can be overkill if you only want to monitor internet mail being sent to or from certain email address's or domains. An example may be you want to audit all the email that is being sent to hotmail.com or all email sent to a particular email address in your organization. This article details setting up a SMTP transport sink that can be fired on certain rules such as Rcpt to=*@hotmail.com which will catch any mails being sent to hotmail and then append the name of your mointer mailbox to the Smtpenvelope recipient list. The email will be then delivered as normally with a copy going to your monitor mailbox. The users at ether end will have no idea this mail has been intercepted in any way because the To field on the email in not modified and neither are the Internet headers that are available to the user.  You can also do this on specific email address's eg you may want to monitor all email that is going to a certain user in this example you would fire on a rule such as Rcpt to=sususer@yourdomain.com

Caveat

The one caveat is as I mentioned on the first page of this article if you want to monitor mails that where sent from a user where their mailbox exists on the same server where you are firing the SMTP event sink,  the senderemailaddress field of the message will be blank so any sink rules you set up for that user wont fire. In this case you would need to have the sink firing on a boarder SMTP server see this Qbase article for more details.

How it works

Within the SMTP_Onarrival event you can access the Msg object which is a CDO handle to the message being processed by the SMTP server. The Msg.EnvelopeFields("http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist") field contains the list of recipients of a message before it is processed by the categorizer. What the below script does is appends the name of your mointer mailbox to the recpientlist of the email. When the email hits the categoriser it will deliver a copy to the monitor mailbox and continue on normally with the message delivery of the source email.

<SCRIPT LANGUAGE="VBScript">


Sub ISMTPOnArrival_OnArrival(ByVal Msg, EventStatus )
	on error resume next
	Dim RecpList
	recplist = LCase(Msg.EnvelopeFields("http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist"))
	recplist = recplist & "SMTP:mointermailbox@yourdomain.com;"
	Msg.EnvelopeFields("http://schemas.microsoft.com/cdo/smtpenvelope/recipientlist") = recplist
	Msg.EnvelopeFields.update

End Sub

</SCRIPT>

Installation

Before using this script you need to put in your own domain variables to replace the yourdomain.com text in the script.

To install and use an SMTP event sink you will first require the SMTPREG.vbs script that is included in the Exchange SDK. Create a directory on your servers c: drive called c:\smtpevt and copy the smtpreg.vbs  and smtpjrnl.vbs scripts into this directory. To create an event sink for the smtpjrnl.vbs  script that will fire when mail is sent to *.hotmail.com From a command line in the c:\smtpevt directory type

cscript smtpreg.vbs /add 1 onarrival smtpjrnl  CDO.SS_SMTPOnArrivalSink "Rcpt to=*@hotmail.com"

You then need to associate the smtpevt.vbs script to this event sink you have created using

cscript smtpreg.vbs /setprop 1 onarrival smtpjrnl Sink ScriptName c:\smtpevt\smtpjrnl.vbs

If you wish to delete this event sink latter type

cscript smtpreg.vbs /remove 1 onarrival smtpjrnl

Download Script