Does Your eDiscovery Platform Handle This Common Microsoft Exchange Email Address Search Issue?
Searching for emails can be critical to your cases
You may have noticed that while you are searching through emails in the course of the eDiscovery process your search engine sometimes fails to produce results of emails that it should be listing.
The issue causing the emails to slip through might be deeper than you think
Often, the trouble comes down to an issue caused by a legacy feature Microsoft introduced in Exchange 2007 servers to the way they manage data, and emails in particular.
Let’s consider the case of Sarah Jones working at GoldFynch. Her email address would look something like this:
firstname.lastname@example.org and while sending or receiving emails, it would read that way, too. This type of email address is known as the SMTP address, and is the type that is commonly used and shared.
But Microsoft’s Exchange 2007 servers might end up storing Sarah’s information as a different type of address–the Exchange x500 address–and it looks like this:
/O=GOLDFYNCH/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=sjones
Why use a different type of address?
In 2007 Microsoft upgraded their Exchange servers. In the process, they gave them a single administrative group to handle backwards compatibility. This is the “legacyExchangeDN” property of the Exchange mailbox. Depending on the Exchange server’s version and setup when emails are pulled from it, it’s possible that the x500 address and not the SMTP address shows up on the emails. This is especially common in emails from parties within the same Exchange server, since Exchange servers use x500 addresses for internal routing. It’s also likely that it’s formatted this way in Sarah’s ‘sent items’ folder in Exchange.
What does that mean?
This can make it difficult to locate all of the emails for a given person. If emails are stored under the x500 address, typing out their email address or even names can end up producing 0 results.
So how do you deal with the issue?
Here’s a quick trick that can help work around the issue:
Taking another look at the x500 address, the only variable part of the address is the “sjones” component. The rest of the address will be the same for all other emails on the same Exchange server. So if you search your case for “exchange administrative group” or “FYDIBOHF23SPDLT” in all the email participant fields (i.e., To, From, Cc, Bcc) and there are no results produced, there are no Exchange x500 addresses in the case, and you will know that you aren’t missing out on any emails because of the x500 address issue.
What if there are x500 addresses though? Don’t worry GoldFynch has you covered.
Notice how both SMTP and Exchange x500 address have the custodian name in common? In this case it would be “sjones.” GoldFynch’s search system can pick up words from within the text strings that make up the addresses. So searching for the custodian’s name–here, “sjones”–will produce the results regardless of whether they are stored as x500 or SMTP addresses.
UPDATE: As of 2021, GoldFynch now stores address metadata where relevant, and supports direct x500 address searches in its Advanced Search system!