I was discussing a spam problem with a customer recently and they mentioned to me that one of their biggest problems is spam sent to their email distribution lists.  The problem had come about due to two things – firstly the email addresses for some of their distribution lists are very easy to guess (eg, the “All Staff email group has an email address of allstaff[at]company.com), and secondly there had been occasions in the past where staff exposed the email addresses by CC’ing them on emails sent outside the company.

Over time the problem has grown to the point where it is now very frustrating for their staff.  They’ve asked me for some suggestions on how to fix this problem, so I presented them with these options.

Requiring Authentication for Exchange Server 2007 Distribution Groups

The default behavior for newly created distribution groups in Exchange Server 2007 is to require that all senders be authenticated, or the message is simply rejected.  This is useful, however, for a vast majority of Exchange Server 2007 organisations their distribution groups existed prior to the upgrade to Exchange Server 2007.  In these cases the authentication requirement is not enabled.To require authentication for a distribution group simply open the group properties, navigate to the Mail Flow Settings tab, open the Message Delivery Restrictions and then tick the box marked “Require that all senders are authenticated”.

While this solution has the desired effect of preventing spam from reaching the distribution group, it also prevents other legitimate outside email from reaching the list.

Filtering Distribution Groups by Sender

The authentication requirement will prevent legitimate outside email from reaching important distribution groups.  To resolve this through the same Message Delivery Restrictions you can instead control which senders are permitted to send to the distribution group.

This method causes some extra administrative burden for the email server admins because each permitted sender must first be added as an Exchange Contact.  Furthermore if you want the distribution group to receive emails from internal staff you need to ensure they are also added to the list, either directly or via a group.

Obscuring Distribution Group Email Addresses

One method that most email admins will try at least once in their career is to obscure the email address of distribution groups to make it harder to guess, or to make it impossible to send to from outside the organization.  In Exchange Server 2007 this is achieved by using Email Address Policies that apply only to distribution group objects.

For example, the policy may apply a string of characters to the email address to make it harder to guess, such as allstaff_ksf2ui2[at]company.com.  While this does have the effect of making it nearly impossible to guess it does nothing to prevent exposure of the email address if it were included in an email sent outside the organization.

A second technique is to use an SMTP domain that is invalid outside of the organization.  For example allstaff[at]groups.company.com or allstaff[at]company.local.  This has the effect of nullifying any exposure of the email address outside the organization but similar to the earlier filtering techniques it prevents legitimate outside email from reaching the group.

Implementing an Anti-Spam Solution

Although the customer was seeking a free solution once I explained each of the options above it became clear to them that these techniques would either be ineffective, require too much effort to maintain, or would prevent legitimate business use of their distribution groups.

Instead they agreed to trial an anti-spam solution, which satisfied them by preventing spam and other unwanted emails in an effective and easy to manage way, and which they ultimately purchased and are now happily getting on with their business without the constant hassle of spam.