journal archive email format and dlp issue
We exported the email from jorunal archive from DA as pst then convert to eml which will be scanned by Symantec DLP Network monitor, howerver the incident created no email address only sender name or recipent name.
The quesiton is when EV archived the email, which format it archived? Does it include the address or only name? From DA, there is an option to enable show the email address. See this KB: http://www.symantec.com/docs/TECH166289
Thanks.
I think it's the envelope journaling that is the key here. The message itself (P2) is actually submitted using the sender/recipient cannonical name, and the hub transport server will add the SMTP address as it puts the message in its envelope (P1). See MS for more detail on how envelope journaling works with internal addresses: http://msdn.microsoft.com/en-us/library/office/cc842372.aspx
When EV stores the item in the archive, the P2 is stored since it is the actual message, and the information in the P1 is written to the index and saveset metadata, and the P1 envelope is discarded. When you perform a PST export, you are not recreating this envelope. You are just exporting the actual message, and the SMTP address is not written on the actual message.
FWIW if you enable the API then DA gets the sender/recipient address by going through the API to read the saveset metadata but I believe that is just for review and not for exports.