One interesting thing I learnt this week from a mailing list that I knew how it worked but didn't know the detail of was the OOF history feature. This feature has been around for ages and its what Exchange uses to ensure you don't receive more then one copy of an OOF message when you send to a mailbox where the OOF status is enabled. According to this KB https://support.microsoft.com/en-us/help/3106609/out-of-office-oof-messages-are-sent-multiple-times-to-recipients this list has a limit of 10000 entries and can cause problems at times like any feature so it give some details on how to manually clear it.
The more interesting part for a developer is the property they mention PR_DELEGATED_BY_RULE (or PidTagDelegatedByRule https://msdn.microsoft.com/en-us/library/ee218716%28v=exchg.80%29.aspx). This property contains a list of all the Email Addresses that this Mailbox has sent an OOF message to while the OOF feature was enabled which is something you could do a few cool things with. Pulling on my Sherlock hat here that property name doesn't sound quite right even through the documentation link I posted confirms the property name and property tag are correct the datatype specified in the documentation is Boolean and in the KB its a Binary Stream. Reading a little a more into what that property is meant to do doesn't quite match its uses here on the FreeBusy Folder but a lack of clear documentation on the actually property means at this point lets write it off as some type of anomaly but the property itself is still of interest.
Unfortunately no documentation exists for the actual format of the datastream stored in this property, so we have to rely on the inspection method. Looking at the raw stream it looks like a serialized MAPI stream (eg just a bunch of MAPI properties stored in a binary stream) however its not like other serialized Mapi streams (eg the Autocomplete stream) where you have the normal EmailAddress Mapi properties etc. By inspection it looks more tokenized with the normal Mapi property types. Looking at one of the Email Address values there is prefix token of 3349C842 which appears to be a repeating token before other email address values (generally you expect the MAPI Tag here) followed by 0201 which is the normal MAPI property type for Binary props and followed by a something like 1400 which the length of the property value (stored as Hex) and then for example a value like 676C656E7363616C6573407961686F6F2E636F6D . So given that inspection value I can write a really dumb parser in PowerShell that parses out the Data Stream a Byte at a time in a forward manner find the Tokens for the email addresses which always seems to have a null terminator preceding them and then parse out the Email addresses which would give you a history list of the Email received and responded to while the OOF rule was enabled. Note without proper documentation writing a real parser isn't really feasible but from the little testing I've done the dumb parser seems to work okay. I've put a copy of an EWS script that grabs this property from a Mailbox's FreeBusy folder and then dumps and values from this prop into the PowerShell pipeline on GitHub here https://github.com/gscales/Powershell-Scripts/blob/master/ShowOOFRcpHistory.ps1 to use it use something like
Get-OOFRcpHistory -MailboxName user@datarumble.com
The more interesting part for a developer is the property they mention PR_DELEGATED_BY_RULE (or PidTagDelegatedByRule https://msdn.microsoft.com/en-us/library/ee218716%28v=exchg.80%29.aspx). This property contains a list of all the Email Addresses that this Mailbox has sent an OOF message to while the OOF feature was enabled which is something you could do a few cool things with. Pulling on my Sherlock hat here that property name doesn't sound quite right even through the documentation link I posted confirms the property name and property tag are correct the datatype specified in the documentation is Boolean and in the KB its a Binary Stream. Reading a little a more into what that property is meant to do doesn't quite match its uses here on the FreeBusy Folder but a lack of clear documentation on the actually property means at this point lets write it off as some type of anomaly but the property itself is still of interest.
Unfortunately no documentation exists for the actual format of the datastream stored in this property, so we have to rely on the inspection method. Looking at the raw stream it looks like a serialized MAPI stream (eg just a bunch of MAPI properties stored in a binary stream) however its not like other serialized Mapi streams (eg the Autocomplete stream) where you have the normal EmailAddress Mapi properties etc. By inspection it looks more tokenized with the normal Mapi property types. Looking at one of the Email Address values there is prefix token of 3349C842 which appears to be a repeating token before other email address values (generally you expect the MAPI Tag here) followed by 0201 which is the normal MAPI property type for Binary props and followed by a something like 1400 which the length of the property value (stored as Hex) and then for example a value like 676C656E7363616C6573407961686F6F2E636F6D . So given that inspection value I can write a really dumb parser in PowerShell that parses out the Data Stream a Byte at a time in a forward manner find the Tokens for the email addresses which always seems to have a null terminator preceding them and then parse out the Email addresses which would give you a history list of the Email received and responded to while the OOF rule was enabled. Note without proper documentation writing a real parser isn't really feasible but from the little testing I've done the dumb parser seems to work okay. I've put a copy of an EWS script that grabs this property from a Mailbox's FreeBusy folder and then dumps and values from this prop into the PowerShell pipeline on GitHub here https://github.com/gscales/Powershell-Scripts/blob/master/ShowOOFRcpHistory.ps1 to use it use something like
Get-OOFRcpHistory -MailboxName user@datarumble.com