As an IT manager, you’ve heard the complaints when someone inadvertently forwards a private e-mail message to everyone in the organization or intentionally spams the all-employee list.

How do you keep these incidents from taxing your system and your employees? One way is to limit access to the all-employee list.

According to TechRepublic systems administrator Mike Laun, “The annoyance level rises as the number of employees on the system increases. When you are at about 50 employees, you can send out a message and know if anyone would be offended by it. But at about 100 employees, that probably won’t be the case anymore.”

If your organization uses Microsoft Exchange, here are Laun’s tips on how and why you should take steps to manage your distribution lists so that only designated employees will be able to send an e-mail to everyone in your organization.

Initial setup
Typically, your initial setup included a distribution list labeled something like @All Employees. As your organization grows and is subdivided into a series of smaller distribution lists based on geography, job function, or department, it is a simple matter to include all of these smaller distribution lists into the @All Employees distribution list.

(Note: The following screen shots are based on Exchange 5.5 with Service Pack 3.)

Here’s a typical all-inclusive distribution list.

But when this all-inclusive distribution list is abused, you should limit the number of people who are allowed to send all-company e-mails.

Here’s one solution
You don’t have to dig too deeply in Exchange to find a way to limit who can send messages to all employees. Here’s how to set it up:

  • Create a distribution list called @Broadcast made up of other distribution lists that contain only the people that should have the ability to send all-company e-mail. This new distribution list might include senior management, department heads, and those people who assist them in doing their jobs, including executive assistants and receptionists.

    • This distribution list will likely be composed of other distribution lists and individuals.

  • Go back to the @All Employees properties and click on the tab called Delivery Restrictions. Click on the List bullet point and Modify the list by adding the @Broadcast distribution list to it.

    • Be sure and click the List bullet button.

    Now the only people who can send a message to all employees will be those people in the @Broadcast group. Perhaps equally important, those employees with their mouse on the Reply To All button won’t be able to spam the entire organization.

    You’ve accomplished what you set out to do by limiting the number of people who can send everyone in the organization an e-mail. Or have you?

    Did you remember to lock the back door?
    Whenever you set up a new user in Exchange on a system with Internet access, Exchange will automatically make an Internet e-mail address and associate it with that new user.

    When you make a distribution list in Exchange, it assigns that group an Internet e-mail address also.

    There are times when you may wish to do this. For example, if a customer of your business wants product information, you may want everyone in your sales group to get that message. If you have a distribution list named @Sales, you’ve already created, by default, an e-mail address for them at sales@yourcompany.com.

    The SMTP address for the Sales group is highlighted.

  • Go back and check all of the E-mail Addresses tabs on each distribution list on your Exchange server if you want to make sure someone from outside your organization can’t hack into that group address.

    • “You want the SMTP line to be deleted for security purposes,” Laun said.

    Typically, the X400 line should be the only address in distribution lists.

    Have you checked your distribution lists to see if they have an unneeded SMTP line? Have you taken over the responsibilities for an Exchange server and found Internet e-mail addresses the organization never thought it had? Start a discussion below or send us a note.