How to be an 31337 hax04 and send mail to a DL to which you don’t have rights

In Exchange, you can configure a distribution list so that only certain users have access to send mail to it (and if only that feature had been used in the Bedlam days...). This is handy for DLs such as "Microsoft All Employees", where only a few people at the company should ever need to send to it for major company-wide events (such as announcing the return of office supplies (!!) and towels). There are other situations where it can be useful too - a while back we experimented with setting such a restriction on a DL that had "All Exchange Developers" on it, because it was a lightning rod for questions from anyone and everyone about developing against Exchange. While the devs were wonderfully helpful, after a point it got to be too much and they had to get back to their day jobs.

If you want to amaze and wow your friends (well, at least the geeky/dorky ones), you can fake your way around this limitation by composing a message and putting the DL on the To field and the BCC field. Using Outlook's handy-dandy DL expansion feature, you can expand the contents of the BCC field and then send the message as you normally would.

This feature is a lot like IRM in that it's a feature to help improve security... but like IRM, it is not a silver bullet to prevent users from emailing each other (although we have some awesome improvements coming in this area in Exchange 12, more on that in a later post!). On that note, here's another fun trick: when you receive an IRM-protected email where you're not allowed to reply all, click forward instead, change the "FW" to a "RE" and copy in the recipients to the appropriate fields, send the mail, and watch the head-scratching start.

Security purists or slashdot readers will point out that IRM-protecting a message to ensure that it doesn't leave the company doesn't actually protect that mail from being leaked. That's absolutely true. If a user receives an email and they want to disclose the contents to their favorite reporter, they don't need any fancy screencap software or DRM-cracker, they can just call the reporter and read the mail over the phone. Fortunately, that's not what IRM is all about. As itself states: "IRM...can't protect information from every threat, every person, or every set of circumstances. IRM is a highly effective deterrent to the office busybody, the careless coworker, or the small-time information thief. To a determined, technologically sophisticated, and well-paid corporate spy, IRM might be little more than a temporary setback.".

So what's a security-conscious exchange administrator to do? The simplest answer that helps with one of the more common uses of Send restrictions (DLs with huge memberships) is to set a restriction on the number of recipients permitted on mail. If you get complaints about a user using this tactic and you already use journaling, you can look up the journal reports of how the mail was sent to confirm the abuse. You could also choose to hide the DL from the GAL or hide the membership of the DL from users, in the hopes that out of sight = out of mind. But at the end of the day, these features are but tools in your arsenal; at the end of the day, a lot of things come down to users.

Comments (3)

  1. Anonymous says:

    It’s weekend, so you know it’s time for "Weekend reading"  

    Exchange Server 2003 — Read…

  2. Anonymous says:

    One of my fellow bloggers and Exchange PM, KC Lemson, has blogged some thoughts about users having the…

Skip to main content