Protect Exchange Distribution Lists from Spam

All the employees in one of my company's offices recently received a spam email message advertising a sex shop. My boss asked me to figure out how this message was sent to everyone in the office and to prevent delivery of similar messages in the future.

My company uses Exchange 2000 Server. We developed a hierarchical distribution list (DL) system, in which we group DL members by department or office. You can use one of two methods to send messages to a DL in Exchange 2000. One method is to select the name of the DL in the Outlook Address Book. Another method is to use a DL's SMTP address. Spammers can use only the second method; the header of the email message we received confirmed that the sender sent the message from the Internet to the SMTP address of the DL members. Therefore, we needed to prevent spammers from sending messages from the Internet to our DLs. However, employees needed to retain the ability to send email messages to the DLs inside the corporate network.

A DL must include an SMTP address. When you create a DL, the list automatically obtains an SMTP address that the recipient policy generates. Everyone can send messages to the DL by default. The administrator can give certain users permission to send messages to DLs and can deny other users permission to send messages to the lists.

When you use the Microsoft Management Console (MMC) Active Directory Users and Computers snap-in to open a DL, you can access the DL's Security tab. The Authenticated Users group has the Send to right for every DL. Internet spammers belong to the Anonymous group but not to the Authenticated Users group. Unfortunately, Exchange 2000's Authenticated Users group's Send to right doesn't work and you can't stop spammers from sending spam to DLs.

If you don't change your DL default message restrictions, any Internet user who knows one of your DL's SMTP addresses can send a message to the list. Several methods exist for preventing spammers from sending messages to DLs.

First, you can replace a DL's email addresses with nonexistent addresses (e.g., change [email protected] to [email protected]). If an Internet user tries to send a message to the nonexistent address, the mail system will return a nondelivery report (NDR). But if a company employee selects the DL from Outlook's address book, the message will deliver.

The second solution is more complicated than the first but is also more effective. Most companies have a hierarchical list of DLs. In general, all employees belong to a common DL. You need to allow all other DLs to receive messages from the common list. You also need to allow the common DL to receive messages from itself to protect the list from spammers. For example, suppose that all your employees belong to the DL ALL_USERS, which you created to send companywide notifications. Sales managers belong to the DL SalesManagers, which has the SMTP address [email protected]. Spammers can easily obtain the SMTP address [email protected] and send spam to this address. You need to set the SalesManagers DL's message restrictions to accept messages only from the ALL_USERS group. If someone who doesn't belong to ALL_USERS tries to send a message to the SalesManagers group, Exchange 2000 will generate an NDR. The spam message's SMTP address will probably be a fake, in which case the NDR will go to your SMTP server's queue. If the NDR doesn't send within 2 days, Exchange 2000 will put the report in your Badmail folder. This solution has a notable disadvantage: Because SMTP doesn't support senders' authentication, a spammer could fake or use the SMTP address of a member of the ALL_USERS group. In this case, Exchange 2000 will accept and deliver the spam message to the SalesManagers group.

The third solution is the most complicated and expensive. You can migrate from your existing version of Exchange to Exchange Server 2003. Exchange 2003 has the feature Accept messages from authenticated users only, which lets you accept messages only from authenticated users in the domain. Internet users belong to the Anonymous group but not the Authenticated Users group and therefore can't send messages to DLs.

Finally, you can install third-party antispam software on your gateway computer and configure the software to reject Internet messages to DLs' SMTP addresses. This method's main disadvantage is cost. The solution requires additional hardware and software, as well as your time updating your record of DLs' SMTP addresses.

All four methods for protecting your Exchange 2000 DLs from spam have disadvantages. I've tested the first solution several times; although this method works, replacing a DL's SMTP address with a nonexistent SMTP address can interfere with Exchange services. The second solution isn't optimal because spammers can fake their SMTP address to send spam to a DL. The third and fourth solutions incur additional expenses.

What should you do if spammers know your DL's SMTP address? You can replace the SMTP address with a new address, or you can use one of the solutions I explained in this article. I used the second solution I described, and my company's DLs haven't been bothered by spam since.

Migrating to Exchange 2003 will solve the problem of spam messages sent to DLs. In the meantime, the solutions I discussed will give you some options for protecting your mail system from spam.