by

Displaying the Recipient historical past from the Out of Workplace function utilizing EWS

Displaying the Recipient historical past from the Out of Workplace function utilizing EWS One attention-grabbing factor I learnt this week from a mailing record that I knew the way it labored however did not know the element of was the OOF historical past function. This function has been round for ages and its what Alternate makes use of to make sure you do not obtain extra then one copy of an OOF message if you ship to a mailbox the place the OOF standing is enabled. In line with this KB https://assist.microsoft.com/en-us/assist/3106609/out-of-office-oof-messages-are-sent-multiple-times-to-recipients this record has a restrict of 10000 entries and might trigger issues at instances like all function so it give some particulars on learn how to manually clear it.

The extra attention-grabbing half for a developer is the property they point out PR_DELEGATED_BY_RULE (or PidTagDelegatedByRule https://msdn.microsoft.com/en-us/library/ee218716%28v=exchg.80%29.aspx). This property accommodates a listing of all of the E-mail Addresses that this Mailbox has despatched an OOF message to whereas the OOF function was enabled which is one thing you can do a couple of cool issues with. Pulling on my Sherlock hat right here that property identify would not sound fairly proper even by means of the documentation hyperlink I posted confirms the property identify and property tag are appropriate the datatype specified within the documentation is Boolean and within the KB its a Binary Stream. Studying a little bit a extra into what that property is supposed to do would not fairly match its makes use of right here on the FreeBusy Folder however a scarcity of clear documentation on the really property means at this level lets write it off as some kind of anomaly however the property itself continues to be of curiosity.

Sadly no documentation exists for the precise format of the datastream saved on this property, so we have now to depend on the inspection methodology. Wanting on the uncooked stream it appears like a serialized MAPI stream (eg only a bunch of MAPI properties saved in a binary stream) nevertheless its not like different serialized Mapi streams (eg the Autocomplete stream) the place you have got the conventional EmailAddress Mapi properties and so forth. By inspection it appears extra tokenized with the conventional Mapi property sorts. Taking a look at one of many E-mail Handle values there’s prefix token of 3349C842  which seems to be a repeating token earlier than different electronic mail tackle values (usually you count on the MAPI Tag right here) adopted by 0201 which is the conventional MAPI property kind for Binary props and adopted by a one thing like 1400 which the size of the property worth (saved as Hex) after which for instance a worth like 676C656E7363616C6573407961686F6F2E636F6D . So provided that inspection worth I can write a very dumb parser in PowerShell that parses out the Information Stream a Byte at a time in a ahead method discover the Tokens for the e-mail addresses which all the time appears to have a null terminator previous them after which parse out the E-mail addresses which might provide you with a historical past record of the E-mail acquired and responded to whereas the OOF rule was enabled. Observe with out correct documentation writing an actual parser is not actually possible however from the little testing I’ve completed the dumb parser appears to work okay. I’ve put a replica of an EWS script that grabs this property from a Mailbox’s FreeBusy folder after which dumps and values from this prop into the PowerShell pipeline on GitHub right here https://github.com/gscales/Powershell-Scripts/blob/grasp/ShowOOFRcpHistory.ps1 to make use of it use one thing like

Get-OOFRcpHistory -MailboxName consumer@datarumble.com