Using Exchange Transport Rules to Prevent Recipients from Replying to or Forwarding a Message

Share on LinkedIn

In Exchange 2007 and 2010, we can use Message Classification and transport rules to control the flow of mail. In a specific scenario, this can be utilised to restrict replies and forwards of confidential messages. Consider the following scenario:

  • Exchange 2007 environment
  • 000s of Outlook 2007, OWA, Blackberry, iPhone users
  • Requirement: Users need to be able to prevent recipients from replying to or forwarding of their email messages. In other words, when User A sends a message to User B, User B has to be prevented from using the email system to further disseminate the message. Consider different methods that User B could use:
    1. Hit Reply, Reply All or Forward buttons.
    2. Use manual methods: copy and paste, print, retype the message

Preliminary Findings

The only real solution is to use Active Directory Rights Management Services (Information Rights Management). This is because RMS is the only mechanism that can prevent a recipient from using either of the methods listed in the requirements.

However, AD RMS has some difficulties attached to it: cost, complexity, lack of skills, time to production etc.

Modify Outlook Functionality

If for any reason you cannot go down the AD RMS route, there is a well-documented client-based solution that satisfies the first group of requirements under item (a). You can read more about it in this article:NoReplyAll Outlook Add-In.

Obviously, though, client-based solutions are not always an easy sell with thousands of users.

Using Transport Rules in Exchange Server 2007/2010

You can achieve similar functionality to that offered by blocking Outlook buttons by utilising Exchange Transport Rules. The solution relies on users selecting “Confidential” in the message sensitivity options and Exchange performing a 2-step examination of messages that meet certain criteria.

This solution requires that you clearly educate your business and your users in both the functionality and solution limitations. If they are understood and acceptable, this may provide an easy and quick resolution until such time as either AD RMS or another complete solution is implemented.

Minimum Requirements

  • Exchange Server 2007 or above.
  • Outlook or Outlook Web Access client.
  • Exchange Organization Administrators (or Exchange Organization Management) role

Overview

To complete the solution, perform the following:

  • User education to mark messages Confidential when they don’t want them disseminated beyond the first (set of) recipients). This is specific to your environment, so there are no further instructions on this point
  • An existing or new Message Classification that will be used to tag any Confidential messages.
  • Transport Rule 2: A rule that triggers on Confidential messages and applies specified Classification
  • Transport Rule 1: A rule that triggers on messages with specific Classification and drops them.

1. Create New Message Classification

Using the Exchange Management Shell, type the following (substituting variables within parentheses for whatever you prefer):

New-MessageClassification -Name "BlockRepliesForwards" -DisplayName "Block Replies and Forwards" -SenderDescription "This message is for your eyes only."

2. Create Transport Rule 2: Classifying the message

For this step, you will use the Exchange Management Console, Organization Configuration, Hub Transport, New Transport Rule wizard:

  1. Enter rule name (e.g. Block Reply Forward – Apply Classification) and Rule Description.
  2. Click Next.
  3. In Conditions window under Step 1, select “when a message header contains specific words”.
  4. Under Step 2, click on “message header” and enter “Sensitivity”. Click on “specific words” and enter “Confidential”
  5. Click Next.
  6. In Actions window under Step 1, select “apply message classification”
  7. Under Step 2, click on “message classification” and select “Block Replies and Forwards”
  8. Complete wizard without further changes.

3. Create Transport Rule 1: Dropping the message

Again using the New Transport Rule wizard:

  1. Enter rule name (e.g. Drop the message) and Rule Description.
  2. Click Next.
  3. In Conditions window under Step 1, select “marked with classification”.
  4. Under Step 2, click on “classification” and enter “Block Replies and Forwards”.
  5. Click Next.
  6. In Actions window under Step 1, select “send bounce message to sender with enhanced status code”
  7. Under Step 2, click on “Delivery not authorised, message refused” and substitute for a more user-friendly message.
  8. Complete wizard without further changes.

Caveats, Conditions and Risks That Must Be Accepted

  • The solution works only for Outlook and Outlook Web Access users within the Exchange organization. In other words, any external recipient will not be bound by these rules. Similarly, at present there is no solution for mobile devices, since they don’t have the concept of Message Classification. This limitation applies to the Outlook-based solution of disabling buttons that was mentioned above.
  • The solution cannot prevent manual methods of copying or replicating the message – copy/paste, printing, file attachment etc. Again, the limitation applies to the client-based solution.

Disclaimer

Usual disclaimer applies here: Instructions provided without any warranties. Test the solution for validity in your environment, adjust to your environment, communicate with all stakeholders, test again, pilot, document, implement.

 

Leave a Reply

Your email address will not be published. Required fields are marked *