Prevent users from sending to BCC using Transport Rule

Portugues  English

The Exchange Server performs header injections, it inserts a lot of informations into the header of the email; one of this information is about the BCC for those cases which the message contains a recipient in the BCC field. In those cases, a particular header line must be inject informing the SMTP address from the BCC recipient.

The header line is: X-MS-Exchange-Organization-BCC

Although Exchange Server does not have a Transport Rule declared for BCC’s blocking, with this header line we have enough weapons to block e-mails that contains BCC recipients.

The first step is create a new Transport Rule through EAC – or powershell – with the following settings:

Apply this rule if: A message header matches> X-MS-Exchange-Organization-BCC header matches $

transport rule bcc

Note: The dollar may be used as asterisk; it will become a wildcard for any address / domain.

Then you should perform some send tests to BCC recipients and check if the rule is blocking as expected:

transport rule bcc exemple

If the main goal is blocking recipients from sending BCC only internally, instead of using the dollar must be used the domain name followed by the dollar:

transport rule bcc2

Remember that the transport rule will block the message for all recipients, whether it is in the To or Cc field, everyone will be affected by the rule. Because of this behavior, be in mind the importance of writing a clear message in the reject explanation in the NDR saying that the message was not send to nobody because there is a BCC recipient.

In the case of a hybrid environment, the rule may also be applied in Exchange online, it will prevent the BCC’s sending from the both sides.

Note: The X-MS-Exchange-Organization-BCC header is not visible after message delivery. This header line is convert to X-Ms-Exchange-Organization-Recipient-P2-Type: Bcc for messages delivered internally, and deleted for messages delivered externally. For those who want troubleshooting this header line will need to use Pipeline Tracing to be able to view the header before it is converted or deleted.

Leave a Reply

Your email address will not be published. Required fields are marked *