Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Old Binsby
Jun 27, 2014

it's that time of year, stumbled upon that guy calling in that Outlook is really slow and has been for a while but he's hoping we can finally fix it. I'm the fourth person to get the ticket assigned ... lets... seee.... ah, the season for sharing the joy after all

User has had mailbox since start of employment - 1997.

There are 159922 unread items in his Inbox and he does not want to remove any. Or mark them read. The unread ones are unread for a reason. These include all messages ever placed in the Sent items box. And drafts. All folders in his mailbox are empty except the inbox, which we can't touch. New folders will throw him for a loop, how will he find anything? He know at what height important messages are on the scroll bar on his screen. Besides the search doesn't work. Poorly even when it was still Notes, probably. Please advise

Adbot
ADBOT LOVES YOU

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010
150k isn't inherently bad. I'm sure o365 with its generous storage policy will let you accumulate 3x as much. However, digital hoarding on a grand scale should be sent directly to HR and god willing you have a retention policy (with a email archiver) to beat this person with. Because if you do, and grandpa here with the first recorded e-mail ever, and litigation against the company finds out, it you'll be ffffuuuuccckkkeeed.

incoherent fucked around with this message at 01:48 on Dec 18, 2018

MF_James
May 8, 2008
I CANNOT HANDLE BEING CALLED OUT ON MY DUMBASS OPINIONS ABOUT ANTI-VIRUS AND SECURITY. I REALLY LIKE TO THINK THAT I KNOW THINGS HERE

INSTEAD I AM GOING TO WHINE ABOUT IT IN OTHER THREADS SO MY OPINION CAN FEEL VALIDATED IN AN ECHO CHAMBER I LIKE

150k UNREAD messages, that's a lot of unread messages. I've never directly admined exchange, but our architect used to handle our own and he mentioned before that a high amount of unread mail will cause outlook to be slow because it's constantly sending data to/from the exchange server.

Maybe something has changed, this was 5-6 years ago, but I doubt it.

*edit*
or he could have been loving with me so I'd mark all the messages read in outlook, I have something like 200K+ unread on the machine our one client gives us because I never open outlook, all the email gets forwarded by a transport rule to my internal address.

MF_James fucked around with this message at 01:42 on Dec 18, 2018

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010
If you're off cached mode, then yes it will do a lot of traffic.

Old Binsby
Jun 27, 2014

The Unread items counter in particular has crashed Outlook in the past when it went beyond a certain number, I think. I always use 10.000 as a single good number to remember. Always keep <10.000 items in a folder, always use <10.000 folders in your mailbox. Easy and this user will have to deal with folders because this is going to kill his mailbox if he can't even open it before lunch. He's pretty good about cleaning things up, the entire mailbox is under 10 GB. There's just ... still >20 year old crap in there, migrated and migrated and migrated and migrated...
Our archiving appliance is slurping up all mail so even if we just threw his entire mailbox out there would still be a copy with the compliancy people that they'd keep for the amount of time that they do. I'm not worried except that this amount of digital hoarding might point to other issues than a slow computer but hey. Don't we all have a few

Dans Macabre
Apr 24, 2004


Old Binsby posted:

There are 159922 unread items in his Inbox



Print this out and give it to the user:
https://support.microsoft.com/en-us/help/2768656/outlook-performance-issues-when-there-are-too-many-items-or-folders-in

Take out a highlighter and highlight this part:
Outlook 2019, Outlook 2016, Outlook 2013 and Outlook 2010:

100,000 items per folder


This person should use professional development funds to get training on email management good practice. The message you need to deliver is that this is Outlook behaving as designed and you cannot fix it.

Warning: the user may go and delete 59,923 items and then complain the issue didn't go away, so be prepared to for an excuse for that.

Old Binsby
Jun 27, 2014

NevergirlsOFFICIAL posted:

Print this out and give it to the user:
https://support.microsoft.com/en-us/help/2768656/outlook-performance-issues-when-there-are-too-many-items-or-folders-in

Take out a highlighter and highlight this part:
Outlook 2019, Outlook 2016, Outlook 2013 and Outlook 2010:

100,000 items per folder


This person should use professional development funds to get training on email management good practice. The message you need to deliver is that this is Outlook behaving as designed and you cannot fix it.

Warning: the user may go and delete 59,923 items and then complain the issue didn't go away, so be prepared to for an excuse for that.

if they were that easy to deal with they wouldn’t have had this amount but thanks for the link. I was kind of looking for it, seen that before but couldn’t find it last week. I’ve since learned this is an ancient formerly important dude but he’s not really doing anything any more, he got demoted. Got demoted but kept an office and secretary to keep him from making a big fuss, she said to be gentle and maybe just ignore him until his retirement this summer lol

Submarine Sandpaper
May 27, 2007


Old Binsby posted:

if they were that easy to deal with they wouldn’t have had this amount but thanks for the link. I was kind of looking for it, seen that before but couldn’t find it last week. I’ve since learned this is an ancient formerly important dude but he’s not really doing anything any more, he got demoted. Got demoted but kept an office and secretary to keep him from making a big fuss, she said to be gentle and maybe just ignore him until his retirement this summer lol

We had a guy like this, then did a mail migration, and whopse his continued access to company emails to arrange bridge was not considered

accidentally throw on a retention if he's not subject to hold

Beefstorm
Jul 20, 2010

"It's not the size of the tower. It's the motion of the airwaves."
Lipstick Apathy

Old Binsby posted:

it's that time of year, stumbled upon that guy calling in that Outlook is really slow and has been for a while but he's hoping we can finally fix it. I'm the fourth person to get the ticket assigned ... lets... seee.... ah, the season for sharing the joy after all

User has had mailbox since start of employment - 1997.

There are 159922 unread items in his Inbox and he does not want to remove any. Or mark them read. The unread ones are unread for a reason. These include all messages ever placed in the Sent items box. And drafts. All folders in his mailbox are empty except the inbox, which we can't touch. New folders will throw him for a loop, how will he find anything? He know at what height important messages are on the scroll bar on his screen. Besides the search doesn't work. Poorly even when it was still Notes, probably. Please advise



If you have Office 365, utilize archiving. Dump the oldest 75-100k messages into his archive, and have the rest go into his standard mailbox. Should clear up some of his performance issues.

But yeah, he needs to just let go of some of his old stuff....

RoboBoogie
Sep 18, 2008
https://www.zdnet.com/article/hackers-wipe-us-servers-of-email-provider-vfemail/


I guess their disaster recovery process didnt work lol

Dans Macabre
Apr 24, 2004


Yet another data point to justify self hosting dovecot for my enterprise :smug:

Count Thrashula
Jun 1, 2003

Peak Performance.

Buglord
So someone was working from home yesterday and kept trying to add contacts, but then they wouldn't be in his "all contacts" list. Today he gets to the office and they all show up.

What on earth can I do to troubleshoot ex post facto?

Cheech Marinade
Apr 17, 2002
Is there any way to have Exchange completely ignore the From: in an inbound message body and force it to use the real SMTP email address? Like either scrub any "from:" entries from a message body, or overwrite them with the SMTP From header:. Email spoofing is getting ridiculous, and it's bullshit that Outlook does so much to help out attackers by hiding the info the users really need to see. SPF is useless against these kind of spoofed messages since the attackers aren't forging From: in the actual headers, just the "friendly name."

Yeah this customer's lovely Barracuda spam appliance really should stop an email with a malicious attachment where the body is something like "Here's a totally legitimate invoice," but if Outlook would show the real sender's email, even the C-levels might realize it's a phishing message. I certainly can't train a 70 year old bank president to open a message and analyze the headers. Why isn't there a big outcry in the industry about the way email clients hide vital security information from users?

Internet Explorer
Jun 1, 2005





Because users can't be trusted to do anything with information.

Use DMARC. Use whatever Barracuda's version of Impersonation Protection is.

Cheech Marinade
Apr 17, 2002
Is DMARC kinda like spf where it's ineffective if the sender doesn't have it implemented, or does it somehow cover senders that don't have a DKIM record? Do enough email hosts implement DMARC to where it's reasonable to ding their SCL score over not having it? The sender in question is using godaddy's email servers, apparently, and has an SPF record, but the spam senders are sending from other email addresses/servers.

Internet Explorer
Jun 1, 2005





It is like SPF where if the other side does not have it set up you cannot leverage it. That is where something like Mimecast's Impersonation Protection comes into play.

incoherent
Apr 24, 2004

01010100011010000111001
00110100101101100011011
000110010101110010
The barracuda analogs to Impersonation Protection are only available in the cloud services. If you have a box (like I do and Cheech Marinade) you can use the CPL layer, which is a free "light" cloud based scanning which gives you basic link protection. But to get the goodies of Impersonation protection you have to pay out for the cloud subscription

https://www.barracuda.com/products/sentinel

TITTIEKISSER69
Mar 19, 2005

SAVE THE BEES
PLANT MORE TREES
CLEAN THE SEAS
KISS TITTIESS




I've created a shared mailbox in our on-prem Exchange, and granted access to the required users. One of them would like to add it to their mobile phone (I'm guessing iPhone) and has asked me what the password is.

Since it's a shared mailbox, by default it doesn't have a password. Can it be added to a mobile mail app without one? I've Googled but all I've found so far has said to enter the password.

Old Binsby
Jun 27, 2014

in O365 this is done by adding the mailbox and authenticating but using your personal credentials. On prem I think you have to gently caress around a little, probably IMAP supports authentication using personal credentials to the shared mailbox. But not the default Exchange connection via ActiveSync. It can be done through EWS, which supplanted activesync and is the reason it works in O365 iirc.

Enabling the shared mailbox user account is done sometimes but it’s a worse idea than IMAP even, imo

TITTIEKISSER69
Mar 19, 2005

SAVE THE BEES
PLANT MORE TREES
CLEAN THE SEAS
KISS TITTIESS




I've enabled other shared mailboxes' accounts before, but that was so another set of users could login to it via OWA to set autoreplies. Still, if that's what needs to be done, so be it.

Old Binsby
Jun 27, 2014

TITTIEKISSER69 posted:

I've enabled other shared mailboxes' accounts before, but that was so another set of users could login to it via OWA to set autoreplies. Still, if that's what needs to be done, so be it.

the feature specifically for users to open their own OWA and edit the autoreply of another mailbox is supported on prem if they’re given full access, just fyi

TITTIEKISSER69
Mar 19, 2005

SAVE THE BEES
PLANT MORE TREES
CLEAN THE SEAS
KISS TITTIESS




Interesting! I'll test that next time the need comes along.

Sickening
Jul 16, 2007

Black summer was the best summer.
Okay folks, one of my teams has turn into a problem which we haven't found an resolution to yet. Here is the scenario...

1: A user gets phished who is privileged in 0365. The account is made a delegate to a sensitive mailbox. That user account is then used to read email in that inbox.
2: Search-MailboxAuditLog shows these actions. It however only shows the mail messages being accessed by messageid.

For the life of me, my team and I can't figure how in the hell to query office 365 to match up the messageid's to emails to know exactly what was read (or shown to be read) by the logs. You would figure that a content search would be useful, but alas messageid is not a defined parameter in the search (wtf?). Message trace works, but it only goes back so far and if the email is an old one it won't show up there.

Some of my top leaders want to know which specific email was read and is pushing pretty hard. I explained that its better to assume that an entire offline copy was cached and all email should be considered read in the mailbox at this point, but I was overruled.

I should be able to search a loving office 365 mailbox by message id! Help!

Old Binsby
Jun 27, 2014

I think you were pretty much on the right track, if you do a delegate/admin search on that mailbox for the action messagebind (ie reading a message) you should get a true unique ID like Identity (?) besides message id, did you use --ShowDetails? I hate that it's a switch but it definitely should improve the results for you if you didnt before. Swap out -Mailboxes for -Identity, if you were using the mailboxes parameter because it's not compatible for some reason.

Sickening
Jul 16, 2007

Black summer was the best summer.

Old Binsby posted:

I think you were pretty much on the right track, if you do a delegate/admin search on that mailbox for the action messagebind (ie reading a message) you should get a true unique ID like Identity (?) besides message id, did you use --ShowDetails? I hate that it's a switch but it definitely should improve the results for you if you didnt before. Swap out -Mailboxes for -Identity, if you were using the mailboxes parameter because it's not compatible for some reason.

Messagebind is retired I think. We definitely are using -showdetails and -Identity in my searches and for email messages the subject lines are showing up blank in the auditlog search but contains messageid's. If subject lines were included in the audit log I wouldn't be in this position.

I don't understand the point of putting messageid's in an audit log but not giving you a way to search for them.

Old Binsby
Jun 27, 2014

eh you're right. Searching for the MailItemsAccessed operation is the replacement. That also yields blank subject line entries in the output?

Digital_Jesus
Feb 10, 2011

Nothing like a mass mailbox migration to a new exchange server filling up your log volume and dismounting all production DBs. :allears:

Cheech Marinade posted:

Is there any way to have Exchange completely ignore the From: in an inbound message body and force it to use the real SMTP email address? Like either scrub any "from:" entries from a message body, or overwrite them with the SMTP From header:. Email spoofing is getting ridiculous, and it's bullshit that Outlook does so much to help out attackers by hiding the info the users really need to see. SPF is useless against these kind of spoofed messages since the attackers aren't forging From: in the actual headers, just the "friendly name."

Yeah this customer's lovely Barracuda spam appliance really should stop an email with a malicious attachment where the body is something like "Here's a totally legitimate invoice," but if Outlook would show the real sender's email, even the C-levels might realize it's a phishing message. I certainly can't train a 70 year old bank president to open a message and analyze the headers. Why isn't there a big outcry in the industry about the way email clients hide vital security information from users?

Please enable either your exchange server or the barracuda appliance to put the giant "HEY THIS IS EXTERNAL PLEASE BE CAUTIOUS WHEN OPENING ATTACHMENTS" banner and you should also have spoof protection turned on for all domains in the CPL and at the Appliance level.

Barracuda ESGs are pretty drat good honestly. Make sure all your ATP definitions are set to auto-update and make sure that attachment scanning is enabled for inbound email. If the customer isn't paying for an ATP subscription tell them to invest in one and set up a CCP/CPL for their ESG and domains.


The biggest spam/phishing related problems I have these days are from spammers using legitimate email servers with proper certificates and mail records. I get poo poo from compromised road runner, AOL, etc accounts all the goddamn time. Most of these can be caught if you crank down the filter's tolerance for mail but then you deal with a lot more false positives.

Email phishing is becoming incredibly hard to stop and its one of the areas I think infosec is having the worst time keeping up with the bad guys. Too much of it requires users to know how to read email now and critical information is obscured as you said. I think "From:" as a separate modifiable field needs to be completely removed from the email standard.

Too many malicious bodies have realized that infosec is quite capable of keeping up with infection based attacks and have now switched to targeting the one thing infosec can't fix: user ignorance.

Digital_Jesus fucked around with this message at 16:51 on Apr 22, 2019

Sickening
Jul 16, 2007

Black summer was the best summer.

Old Binsby posted:

eh you're right. Searching for the MailItemsAccessed operation is the replacement. That also yields blank subject line entries in the output?

Yes it does. In fact, it contains TONS of blank fields.

DestFolderId DestFolderPathName FolderId FolderPathName FolderName MemberRights MemberSid MemberUpn
SourceItemIdsList SourceItemSubjectsList SourceItemAttachmentsList SourceItemFolderPathNamesList SourceFolderPathNamesList SourceItemInternetMessageIdsList ItemId ItemSubject ItemAttachments ItemInternetMessageId DirtyProperties

Old Binsby
Jun 27, 2014

Sickening posted:

Yes it does. In fact, it contains TONS of blank fields.

DestFolderId DestFolderPathName FolderId FolderPathName FolderName MemberRights MemberSid MemberUpn
SourceItemIdsList SourceItemSubjectsList SourceItemAttachmentsList SourceItemFolderPathNamesList SourceFolderPathNamesList SourceItemInternetMessageIdsList ItemId ItemSubject ItemAttachments ItemInternetMessageId DirtyProperties

very strange. It might be worth contacting MS directly because it smells like a bug. Last thing that comes to mind is checking whether the stuff you're looking for is logged in the mailbox audit logs at all (get-mailbox X | fl *audit*) and whether you have the correct role group assignments, Check the Discovery/Records group, maybe their move to their own portal broke something. Low hanging fruit, maybe someone else has an idea

Will Styles
Jan 19, 2005

Sickening posted:

Okay folks, one of my teams has turn into a problem which we haven't found an resolution to yet. Here is the scenario...

1: A user gets phished who is privileged in 0365. The account is made a delegate to a sensitive mailbox. That user account is then used to read email in that inbox.
2: Search-MailboxAuditLog shows these actions. It however only shows the mail messages being accessed by messageid.

For the life of me, my team and I can't figure how in the hell to query office 365 to match up the messageid's to emails to know exactly what was read (or shown to be read) by the logs. You would figure that a content search would be useful, but alas messageid is not a defined parameter in the search (wtf?). Message trace works, but it only goes back so far and if the email is an old one it won't show up there.

Some of my top leaders want to know which specific email was read and is pushing pretty hard. I explained that its better to assume that an entire offline copy was cached and all email should be considered read in the mailbox at this point, but I was overruled.

I should be able to search a loving office 365 mailbox by message id! Help!

You can do what you want with EWS + powershell. It's fairly involved so it if you want to learn it the turn around may be longer than what your company would like.

I didn't find anything that does exactly what you want from some quick googling, but theoretically you would pull in the mailbox that was compromised, iterate through every folder, filter for messages with a matching message-id, and return the pertinent details.

Sickening
Jul 16, 2007

Black summer was the best summer.

Will Styles posted:

You can do what you want with EWS + powershell. It's fairly involved so it if you want to learn it the turn around may be longer than what your company would like.

I didn't find anything that does exactly what you want from some quick googling, but theoretically you would pull in the mailbox that was compromised, iterate through every folder, filter for messages with a matching message-id, and return the pertinent details.

I found that too. That is probably going to be my last ditch effort.

This should be an easily searchable thing, especially since they are assigning the message ids.

Will Styles
Jan 19, 2005
Actually just found this: https://gist.github.com/bill-long/09545eae085f9da0886b

All you'd need to do is alter the search criteria to be based on message IDs instead of subject.

code:
# Add this somewhere after the params
$csv = Import-Csv <file containing message IDs>

# Replace line 125 with the below
$searchCriteria = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+SearchFilterCollection([Microsoft.Exchange.WebServices.Data.LogicalOperator]::Or)
foreach ($msgId in $csv) {
  $newFilter = New-Object Microsoft.Exchange.WebServices.Data.SearchFilter+IsEqualTo([Microsoft.Exchange.WebServices.Data.EmailMessageSchema]::InternetMessageId, $msgId)
  $searchCriteria.add($newFilter)
}

Submarine Sandpaper
May 27, 2007


Anyone have any ideas how to query when a retention policy was set on a mailbox?

Old Binsby
Jun 27, 2014

Submarine Sandpaper posted:

Anyone have any ideas how to query when a retention policy was set on a mailbox?

the admin audit log will show that unless you have that log recycle after X days and it happened before then. In o365 I set it at forever first thing. The command to look for should be set-mailbox with an argument Retentionpolicy used

Old Binsby
Jun 27, 2014

Sickening posted:

I found that too. That is probably going to be my last ditch effort.

This should be an easily searchable thing, especially since they are assigning the message ids.

thought about this a little more because it’s weird and i forgot to ask: when you download the audit data from the mailbox as XML, is that half-empty too/is it even available for downloading ?

Sickening
Jul 16, 2007

Black summer was the best summer.

Old Binsby posted:

thought about this a little more because it’s weird and i forgot to ask: when you download the audit data from the mailbox as XML, is that half-empty too/is it even available for downloading ?

I didn't even go down that path. When I search the audit logs, i pipe it into a csv.

Old Binsby
Jun 27, 2014

Sickening posted:

I didn't even go down that path. When I search the audit logs, i pipe it into a csv.

definitely preferable to diy xml mangling. I like out-gridview sometimes too

i asked out of curiosity only , not applicability per se. Your EWS search looks like it should do the trick probably. Did it? that xml file is a fairly direct/uninterpreted way of checking whether exchange is even making the records properly. if it does, a report/search coming up empty is permissions or powershell mishaps, if not, something serious is wrong or you actually didn’t have it enabled the way you think you did.

Sickening
Jul 16, 2007

Black summer was the best summer.

Old Binsby posted:

definitely preferable to diy xml mangling. I like out-gridview sometimes too

i asked out of curiosity only , not applicability per se. Your EWS search looks like it should do the trick probably. Did it? that xml file is a fairly direct/uninterpreted way of checking whether exchange is even making the records properly. if it does, a report/search coming up empty is permissions or powershell mishaps, if not, something serious is wrong or you actually didn’t have it enabled the way you think you did.

I am not doing ews fuckery until I am forced to. Right now I have scripts ready to created mailbox rules to make copy of emails with certain message id's in the header so these folks can see what email was read at their leisure. I am ready to be done with it.

Submarine Sandpaper
May 27, 2007


I may be blind but this came on my plate this morning and I cannot find explicit documentation stating whether or not an administrative search-mailbox -subject "blah" -deletecontent -searchdumpsteronly will actually remove the item for a user on litigation hold?

Adbot
ADBOT LOVES YOU

Sickening
Jul 16, 2007

Black summer was the best summer.

Submarine Sandpaper posted:

I may be blind but this came on my plate this morning and I cannot find explicit documentation stating whether or not an administrative search-mailbox -subject "blah" -deletecontent -searchdumpsteronly will actually remove the item for a user on litigation hold?

Holy poo poo, that is a great a question. I would hope that it wouldn't. I would also not be shocked that it does nothing but override retention policies.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply