Does Your eDiscovery Platform Handle This Common Microsoft Exchange Email Address Search Issue?

17 July 2018 by Anith Mathai eDiscovery small-law-firm email-search Microsoft-Exchange x500 SMTP

SMTP vs x500 - Microsoft Exchange Email Search Issues

Searching for emails can be critical to your cases

You may have noticed that while you are searching through emails in the course of the eDiscovery process your search engine sometimes fails to produce results of emails that it should be listing.

The issue causing the emails to slip through might be deeper than you think

Often, the trouble comes down to an issue caused by a legacy feature Microsoft introduced in Exchange 2007 servers to the way they manage data, and emails in particular.

Let’s consider the case of Sarah Jones working at GoldFynch. Her email address would look something like this: sjones@goldfynch.com and while sending or receiving emails, it would read that way, too. This type of email address is known as the SMTP address, and is the type that is commonly used and shared.

But Microsoft’s Exchange 2007 servers might end up storing Sarah’s information as a different type of address–the Exchange x500 address–and it looks like this:

/O=GOLDFYNCH/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=sjones

Why use a different type of address?

In 2007 Microsoft upgraded their Exchange servers. In the process, they gave them a single administrative group to handle backwards compatibility. This is the “legacyExchangeDN” property of the Exchange mailbox. Depending on the Exchange server’s version and setup when emails are pulled from it, it’s possible that the x500 address and not the SMTP address shows up on the emails. This is especially common in emails from parties within the same Exchange server, since Exchange servers use x500 addresses for internal routing. It’s also likely that it’s formatted this way in Sarah’s ‘sent items’ folder in Exchange.

What does that mean?

This can make it difficult to locate all of the emails for a given person. If emails are stored under the x500 address, typing out their email address or even names can end up producing 0 results.

Fun Fact: The “FYDIBOHF23SPDLT” after “Exchange Administrative Group” actually represents the string “EXCHANGE12ROCKS” with each character changed to the following letter in the alphabet B to C, M to N, and so on.

So how do you deal with the issue?

Here’s a quick trick that can help work around the issue:

Taking another look at the x500 address, the only variable part of the address is the “sjones” component. The rest of the address will be the same for all other emails on the same Exchange server. So if you search your case for “exchange administrative group” or “FYDIBOHF23SPDLT” in all the email participant fields (i.e., To, From, Cc, Bcc) and there are no results produced, there are no Exchange x500 addresses in the case, and you will know that you aren’t missing out on any emails because of the x500 address issue.

What if there are x500 addresses though? Don’t worry GoldFynch has you covered.

Notice how both SMTP and Exchange x500 address have the custodian name in common? In this case it would be “sjones.” GoldFynch’s search system can pick up words from within the text strings that make up the addresses. So searching for the custodian’s name–here, “sjones”–will produce the results regardless of whether they are stored as x500 or SMTP addresses.

UPDATE: As of 2021, GoldFynch now stores address metadata where relevant, and supports direct x500 address searches in its Advanced Search system!

Note: Some MS enterprise collections store both SMTP and x500 addresses, and it’s possible to extract the SMTP addresses even when x500 addresses are present. In most cases, GoldFynch can automatically extract the SMTP address that makes searching easier, but in the rare occasion you are not able to view the SMTP address, get in touch with GoldFynch support at support@goldfynch.com, or from the help button in your case view.