eDiscovery Daily Blog

• November 10, 2017

I recently had a client who was trying to search a fairly sizable archive in CloudNine (about 2.75 TB comprised of several million documents) and searching for emails to and from a given custodian.  That search proved a little more challenging than expected due to a legacy Microsoft Exchange attribute.  Let’s take a look at that scenario, substituting a generic email address.

If you have John Dough, who is an employee at Acme Parts, his email address might look like this: jdough@acmeparts.com.  And, for many emails that he sends to others, that’s how his email address might be represented.  However, it could also be represented this way, especially in his Sent Items folder in Exchange:

/O=ACME PARTS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=jdough

Why does it look like that and not like the “normal” email address that ends in “acmeparts.com”?  Because it’s a different type of address.

The first example – jdough@acmeparts.com – is an SMTP address.  This is the email address you commonly use and refer to when providing others your email address.  It’s probably even on your business card.

The second example – /O=ACME PARTS/OU=EXCHANGE ADMINISTRATIVE GROUP (FYDIBOHF23SPDLT)/CN=RECIPIENTS/CN=jdough – is the Exchange x500 address – it’s the internal Exchange address for your account.  So, why does that address exist?

It’s because when Microsoft decided to change the way servers were managed in Exchange 2007, they retained a single administrative group for backwards compatibility and stored details of Exchange 2007 servers there.  The legacyExchangeDN property of the mailbox in Active Director stores this information and, depending on the setup and version of the Exchange server when the emails are pulled from it, could be used as the address shown on some emails (especially when they’re received from internal parties).  I still see it pop up occasionally with some of the email collections that we encounter.

Fun fact for you: The value “FYDIBOHF23SPDLT” after “Exchange Administrative Group” is actually an encoded version of the string “EXCHANGE12ROCKS” with each character replaced with the letter that follows it in the alphabet (E->F, X->Y etc.).

So, what does that mean to you?  It can mean a more challenging effort to locate all of the emails for a given custodian or key party.

To address the situation, I generally like to perform a search for “exchange administrative group” or “FYDIBOHF23SPDLT” in the email participant fields (i.e., To, From, Cc, Bcc).  If I don’t get any hits, then I don’t have any Exchange x500 addresses and there are no worries.

If I do get hits, then I have to account for these email addresses.  Both the SMTP and Exchange x500 address have at least one thing in common – the custodian name.  Typically, that’s first initial and last name, but there are variations as some organizations (if they’re small enough) use just the first or last name for email addresses.  And, if you have two people with the same first initial and last name, you have to distinguish them, so the address could include middle initial (e.g., jtsmith) or number (e.g., jtsmith02).

In its Search form, CloudNine performs an autocomplete of a string typed in for a field, identifying any value for the field that contains that string.  So, an autocomplete for “jdough” in the To, From, Cc or Bcc fields would retrieve both examples at the top of this post if they were present – and also any personal email addresses if he used his first initial and last name on those too.  If it seems apparent that all “jdough” entries are associated with the custodian you’re looking for, then the search can be as simple as “contains jdough” (e.g., From contains jdough to get all variations in the From field).  If it looks like you have email addresses for somebody else, then you may have to search for the specific addresses.  Either way, you can use that technique to ensure retrieval of all of John Dough’s email address variations.

So, what do you think?  Have you encountered Exchange x500 addresses in your email collections? As always, please share any comments you might have or if you’d like to know more about a particular topic.

Disclaimer: The views represented herein are exclusively the views of the author, and do not necessarily represent the views held by CloudNine. eDiscovery Daily is made available by CloudNine solely for educational purposes to provide general information about general eDiscovery principles and not to provide specific legal advice applicable to any particular circumstance. eDiscovery Daily should not be used as a substitute for competent legal advice from a lawyer you have retained and who has agreed to represent you.