Wandering Thoughts archives

Some theories about what spammers get out of using null sender addresses

In light of spammers exploiting outlook.com with null sender addresses, one obvious question to ask is why they bother doing this. Well, that's not quite the right question, because the obvious answer is 'it helps their spamming somehow'. My real question is how it helps, and on this I have a few theories.

It's possible that anti-spam systems are more likely to let email from null sender email addresses through than other email, but I don't really believe this. Outlook.com is not the only place where spammers can use null sender addresses, and so if it was useful this way I'd expect spammers to have been using null senders already. Instead I believe that outlook.com spam is pretty much the first big source of this that I've seen.

There's a number of possible things this might do on outlook.com specifically. First, perhaps the spammers have figured out how to exploit a message submission path that requires less authentication, does less spam checking on outgoing email, or is easier to use in bulk but that requires null senders. Here, the null sender is more or less a side effect of the submission path and the spammers don't particularly care about it.

An obvious speculation is that the spammers have found that using a null sender slows down outlook.com's abuse handling process. I don't particularly believe this, since the null sender spam I've trapped has plenty of peculiar internal Microsoft headers. Given that Microsoft hosts disparate things behind the outlook.com name, I'd expect that these headers are what Microsoft actually uses to backtrack spam.

However, there's a related possibility. It's quite possible that a place like outlook.com uses the volume of SMTP time rejections as a signal of badness. If a lot of the email that a particular address sends out gets rejections, well, that's probably worth paying attention to. It could well be that using a null sender mostly defeats this precaution, buying the spammers more time (and more spam) before outlook.com's automated measures stop them. Of course this shouldn't really be the case, since outlook.com has those internal tracking headers even with a null sender, but, well, it's already been established that Microsoft is falling down on the job.

Finally, there's an obvious answer: spammers are simply saving themselves the effort of coming up with sender addresses, especially ones that won't trip over SPF or DMARC or whatever policies, or hit other issues. I don't think I've ever seen a spam of this nature that wants you to reply to the sending address; when they want email replies at all, the spam has a Reply-To: to somewhere else (and if the From: matters, that can be forged). Given that outlook.com lets the spammers use the null sender, well, that gets them out of that little bit of work.

(Of course all of this is empty theorizing about something I'll probably never have the answer to. But the whole situation bugs me, as you can probably tell. And if spam from null senders is going to trend up in general, that's going to affect mail filtering systems.)

The null sender spammers now seem to be entrenched on outlook.com

A bit over a month ago I wrote about how spam from outlook.com had started showing up with a null sender address (a MAIL FROM of '<>'). It will probably not surprise you to hear that this spam has continued, and in fact has likely intensified. Based on what I've seen in our logs and in a spamtrap that I enabled in order to collect samples of this spam, a number of spammers appear to have worked out that Microsoft will let them get away with this and are happily spamming away.

(One of the spam samples I captured was a reasonably targeted phish spam, which makes me even more annoyed with Microsoft.)

Our anti-spam appliance keeps logs, of course, and this gives me a way to assess just how much null sender spam has been showing up here. Based on logs from the past ten full days, it breaks down like this:

• 490 null sender messages sent to us from .protection.outlook.com hosts, out of 2,570 messages from them in total. So about one in five.

• 249 had a 90% or higher spam score; 30 had one in the 80% range and 17 in the 70% range, which is roughly our cutoff for scoring something as spam. So more than half were spammy enough that our system saw them as clear spam.

• Out of the outlook.com messages without null senders, only 23 scored 90% or higher, 16 in the 80% band, 4 in 70%, and 3 in 60%. In fact, 1860 of the 2080 scored under 10%.

Now, this doesn't mean that our anti-spam appliance has scored these correctly either way (and in fact I suspect that almost all of the null sender messages were actually spam). But it does strongly suggest that the messages with null senders are very much skewed towards spam instead of legitimate email (and obvious spam at that), and thus that this is a signal that Microsoft should be looking at and doing something about. If they cared and paid attention, that is. Which they clearly don't.

(Someday they will, when sufficiently many spammers figure this particular trick out that the wave of spam becomes a real problem for Microsoft. But that's probably going to take a while and in the mean time Microsoft's corporate indifference is subjecting the rest of us to a steadily increasing barrage of spam from their servers.)

How many recent sender domains are in the Spamhaus DBL

The Spamhaus DBL is, well, let's quote it directly:

The Spamhaus DBL is a realtime database of domains (typically web site domains) found in spam messages. [...]

Per Spamhaus's documentation, the recommended or best way of using the DBL is to check URLs in incoming messages against it. However you can also use it to check domain names from other sources, such as DNS hostnames, EHLO claimed names, and the host or domain name in the envelope sender address (the SMTP MAIL FROM).

For reasons beyond the scope of this entry, I got curious about how many of the domains sending us email over the recent past might be (still) listed in the DBL. To get a rough idea of this, I extracted the sender domain for all accepted email on our external MX gateway for roughly the past ten days and checked them all. The headline results surprised me:

Out of 10,397 different sending domains, 1,422 were on the DBL.

This is a lot more than I expected. Note that this is a count of domains, not email volume; to put it one way, 'gmail.com' is one domain just as 'aftencia.review' is, but the former is sending us many more email messages than the latter.

Since this is email the gateway accepted, it excludes email that was rejected during the SMTP conversation for various reasons. I've noticed that there's a fairly decent correlation between SBL listed IPs and DBL listed sender domains (eg many IPs that are on the SBL CSS seem to use MAIL FROMs that are in the DBL, probably unsurprisingly).

(I'm presenting such relatively odd numbers because it's much more work to get more interesting ones, such as what percentage of accepted email messages those DBL-listed senders are responsible for. Crude shell scripts don't make what are effectively cross-table joins very easy. Also, I started out expecting a very low DBL hit rate, which would have made detailed stats fairly pointless.)

PS: While there were quite a number of new TLDs in the DBL listed domains, it turns out that the three most common TLDs were .com, .net, and .eu (followed by .download and .xyz). However, somewhat over half of the .net domains come from .in.net; if considered separate from .net, it would be the the fourth most common 'TLD' (and .net would drop out of the top five).