Some theories about what spammers get out of using null sender addresses
In light of spammers exploiting outlook.com with null sender addresses, one obvious question to ask is why they bother doing this. Well, that's not quite the right question, because the obvious answer is 'it helps their spamming somehow'. My real question is how it helps, and on this I have a few theories.
It's possible that anti-spam systems are more likely to let email from null sender email addresses through than other email, but I don't really believe this. Outlook.com is not the only place where spammers can use null sender addresses, and so if it was useful this way I'd expect spammers to have been using null senders already. Instead I believe that outlook.com spam is pretty much the first big source of this that I've seen.
There's a number of possible things this might do on outlook.com specifically. First, perhaps the spammers have figured out how to exploit a message submission path that requires less authentication, does less spam checking on outgoing email, or is easier to use in bulk but that requires null senders. Here, the null sender is more or less a side effect of the submission path and the spammers don't particularly care about it.
An obvious speculation is that the spammers have found that using a null sender slows down outlook.com's abuse handling process. I don't particularly believe this, since the null sender spam I've trapped has plenty of peculiar internal Microsoft headers. Given that Microsoft hosts disparate things behind the outlook.com name, I'd expect that these headers are what Microsoft actually uses to backtrack spam.
However, there's a related possibility. It's quite possible that a place like outlook.com uses the volume of SMTP time rejections as a signal of badness. If a lot of the email that a particular address sends out gets rejections, well, that's probably worth paying attention to. It could well be that using a null sender mostly defeats this precaution, buying the spammers more time (and more spam) before outlook.com's automated measures stop them. Of course this shouldn't really be the case, since outlook.com has those internal tracking headers even with a null sender, but, well, it's already been established that Microsoft is falling down on the job.
Finally, there's an obvious answer: spammers are simply saving
themselves the effort of coming up with sender addresses, especially
ones that won't trip over SPF or DMARC or whatever policies, or hit
other issues. I don't think I've ever seen a spam of this nature
that wants you to reply to the sending address; when they want email
replies at all, the spam has a
Reply-To: to somewhere else (and
From: matters, that can be forged). Given that outlook.com
lets the spammers use the null sender, well, that gets them out of
that little bit of work.
(Of course all of this is empty theorizing about something I'll probably never have the answer to. But the whole situation bugs me, as you can probably tell. And if spam from null senders is going to trend up in general, that's going to affect mail filtering systems.)