search cancel

CA Data Protection - Why do recipients appear on the To\CC line as well as Actual Recipients.


Article ID: 16425


Updated On:


CA Security Command Center CA Data Protection (DataMinder) CA User Activity Reporting


In order to understand how Data Protection (DataMinder) displays event participants you must first understand how mail flows are managed.

In early releases of Microsoft Exchange the default method to capture messages sent to and from users ("Standard Journaling"), this did not capture all message header content like BCC recipients or distribution lists. As a result, later Exchange versions use "Envelope Journaling" to forward a single email to the Archive as an envelope with two parts: a report of message recipient information (P1 Recipients) and the actual message (P2 Recipients - which becomes an attachment).

By default, Exchange 2010 (onward) Journaling is Envelope format .  Envelope Journaling associates all users with a message, including CC and BCC recipients and members of distribution groups. All envelope information is saved in the Archive. 

In practice, when an email is created it can comprise of entries for TO: CC: or BCC: TO and CC: entries are visible to the recipient but the BCC are not. In the context of Microsoft Exchange as the mail server host, the mechanics of this process are as follows: 

When an Exchange Server encounters an events the MTA  (Message Transfer Agent) breaks the message down into two recipient lists. P1 Recipients (The Actual Recipients) and and P2 Recipients (The Display Envelope). The P1 recipient list is used for mail delivery and the P2 recipient list is displayed to the recipients.  If the event was captured at the point of processing you could assume that P1 = To+CC+BCC, however mail flow is often much more complex.


Example scenario: 

You compose an email entering Alice as a To, and Bob as a Bcc. 

The P1 recipients at that point were simply Alice and Bob. 


When you clicked “Send”, the email goes to ACME’s mail server, which promptly adds your boss as a recipient, and also the journal mailbox (for archiving). 


Now your P1 recipients are Alice, Bob, James, and ACMEJournal. 

Because Alice is in a different company, at that point the email ‘forks’: a copy of it goes to Unipraxis, while another copy stays at ACME. 

The P1 recipients on the copy going to Unipraxis is only Alice while the P1 recipients on the copy staying at ACME are now Bob, James, and ACMEJournal. 

When the mail server at Unipraxis receives the email for Alice, it adds UXJournal as a recipient (for archiving). The P1 recipients now on that copy of the email are Alice and UXJournal. 

When James gets the email, he will see that you sent an email to Alice. He won’t know about Bob! 

When Alice gets the email, she’ll only see herself as a recipient. 

When Bob gets the email, he’ll see that it was sent to Alice, but won’t see himself as a recipient.  Although he will guess that you sent him a copy as a BCC recipient. 

If the email administrators of ACME and Unipraxis have a look in their respective journal, they’ll simple see an email from you addressed to Alice. 



When an event is displayed in the Data Protection iConsole the mail event can appear to have duplicate entries as some users appear in both the To\CC line and Actual Recipients lists.  Why do recipients appear on the To\CC line as well as Actual Recipients?


Data Protection (DataMinder)


CA Data Protection (DataMinder) captures an email event at a point of processing, for example an Exchange Server Agent (ESA). The Data Protection ESA plug-in is usually (although not guaranteed) set to process as the last plugin in the pre-submission queue (i.e. after AV, Spam Filters, Archive and Exchange Rules) and it does not differentiate between incoming and outgoing mail flow so it is not possible to infer that P1 = To+CC+BCC. Consequently when an email is captured and displayed in the iConsole it will displayed as they are presented in the P2 recipient list, (i.e. TO: and CC:) as well as those other recipients captured at the point of processing (as the P1 Actual Recipients).

This gives the reviewer a perspective as to whether the participant(s) (at point of capture) were visibly named recipient or received the mail through another mail flow process (i.e. BCC or automated mail rule etc.).  This may be relevant in how they audit the issue.