Script to identify the users forwarding, redirecting and forward as attachment emails to external ids

It’s always difficult to protect sensitive emails being leaked out from any organization. In order to avoid this there are few things that can be blocked on the global settings from the server end.

If we have the auto forwarding and autoreply  option enabled on the default remote domain then any users can create an external contact in his local outlook profile and then he can forward all his emails to his external ids. Here is the possibility  again where sensitive data being leaked out from organization.

The default remote domain will have autoforward and autoreply disabled . That is the recommended configuration.

We need to disable the autoforwarding, autoreply  option in the default remote domain.  If in case if we are forwarding any emails to trusted partners or vendors through any application we can specifically create a custom remote domain for them and enable auto forwarding for that particular remote domain  alone. By doing this no end users will be able to redirect, forward or forwardas attachment their internal emails to their external ID’s.

We can check that by running the below command

Get-RemoteDomain | ft Auto*

Autoreply

If it is enabled run the below commands to disable them

Set-RemoteDomain -Identity default -AutoForwardEnabled $false
Set-RemoteDomain -Identity default -Autoreplyenabled $false

Recently I was looking for a solution for this kind of issue and came up with an idea of a script that can be used to pull out users who have redirect, forward or forwardas attachment options enabled in their outlook rules.

I have created a script which can be used to pull out this kind of information. The below script will run on all mailboxes in entire organization and will pull out users who have external rules set, and then it will send an email to administrator in CSV format by which he can see who all has this option enabled.

***************************************************

Set-Adserversettings -viewentireforest $true

foreach ($mbx in (Get-Mailbox -ResultSize unlimited)) { Get-InboxRule -Mailbox $mbx.DistinguishedName | where {($_.ForwardTo -ne  $null) -or ($_.redirectto -ne $null) -or ($_.forwardasattachment -ne $null)} | select  MailboxOwnerID,Name,ForwardTo | export-csv d:\ForwardRule.csv} -Notypeinformation

Send-MailMessage -To alias@domain.com -cc alias@domain.com -From anyid@domain.com -Subject “Forward To” -Attachments d:\ForwardRule.csv -SmtpServer specifytransportserver

*******************************************************

Copy the above text in a notepad and then save them as ps1. Navigate to the location where you saved it and then you can execute the command

Things you need to modify in the above script

Set the drive location for the csv file in a place where you wish to save.

For sending email in the to and cc field give user for whom you need this report to be sent

From address specify the address from where it needs to be sent and give the mailbox server as smtp server if it’s 2013 or hub server if it is 2010 or 2007.

Here is the example

Just copy the code in text file and save it in ps1 format.

navigated to the location and ran.

Rules5

 

Received the email

rules4

 

 

When we open the csv file the output is displayed for users who have forwardto,redirectto and forwardasattachment option set in outlook rules for external id’s.

Rules3

 

Note:

This command pulls out rules from user’s mailbox only if they are enabled. If the user has a rule created and if he has disabled it temporarily then it won’t fetch that information.

 

Thanks

Sathish Veerapandian

MVP – Exchange Server

4 thoughts on “Script to identify the users forwarding, redirecting and forward as attachment emails to external ids

  1. shakthiravi October 14, 2014 at 7:41 pm Reply

    Good one Bro.. Just a small update to the PowerShell script.. When you generate the report for obtaining ForwardTO results change the current object in the above shell to @{Name=”ForwardTo”;Expression={$_.ForwardTo}} to get the complete result … Also you can include the NoTypeInformation swtich to the csv report generation which makes the report look nice with the required data.

    Like

    • sathishveerapandian October 14, 2014 at 11:39 pm Reply

      Hi Ravi,

      Thanks for your reply ..I have already tried the first suggestion (@{Name=”ForwardTo”;Expression={$_.ForwardTo}} ) .
      It will work perfectly fine if we pull out information only for forwardTo parameter
      But combined parameter with redirectto ,forwardasatachment and forwardto will not work. My combined script will work fine . You can paste me the screenshots if you come across any errors in my script and its much appreciated.
      It would be great if you could give me an example of an csv report which makes to look nice with required data with the parameter notypeinformation which end user’s could understand.

      Like

  2. shakthiravi October 15, 2014 at 2:43 am Reply

    Bro, I updated this only for the ForwardTo parameter which i use for a multi value property to get the output in a proper format in my scripts and not for the other ones 🙂 Yours is all good just shared this thought as an add-on. To know more on notype information I referred check this blog post http://blogs.technet.com/b/heyscriptingguy/archive/2011/09/23/use-powershell-to-work-with-csv-formatted-text.aspx Thanks 🙂

    Like

  3. sathishveerapandian October 15, 2014 at 10:31 am Reply

    Hey Ravi

    Command updated with notypeinformation to remove the system string value. Thanks a lot for your addon Buddy. Much appreciated 🙂

    Like

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: