Some theories about what spammers get out of using null sender addresses

October 27, 2015

In light of spammers exploiting outlook.com with null sender addresses, one obvious question to ask is why they bother doing this. Well, that's not quite the right question, because the obvious answer is 'it helps their spamming somehow'. My real question is how it helps, and on this I have a few theories.

It's possible that anti-spam systems are more likely to let email from null sender email addresses through than other email, but I don't really believe this. Outlook.com is not the only place where spammers can use null sender addresses, and so if it was useful this way I'd expect spammers to have been using null senders already. Instead I believe that outlook.com spam is pretty much the first big source of this that I've seen.

There's a number of possible things this might do on outlook.com specifically. First, perhaps the spammers have figured out how to exploit a message submission path that requires less authentication, does less spam checking on outgoing email, or is easier to use in bulk but that requires null senders. Here, the null sender is more or less a side effect of the submission path and the spammers don't particularly care about it.

An obvious speculation is that the spammers have found that using a null sender slows down outlook.com's abuse handling process. I don't particularly believe this, since the null sender spam I've trapped has plenty of peculiar internal Microsoft headers. Given that Microsoft hosts disparate things behind the outlook.com name, I'd expect that these headers are what Microsoft actually uses to backtrack spam.

However, there's a related possibility. It's quite possible that a place like outlook.com uses the volume of SMTP time rejections as a signal of badness. If a lot of the email that a particular address sends out gets rejections, well, that's probably worth paying attention to. It could well be that using a null sender mostly defeats this precaution, buying the spammers more time (and more spam) before outlook.com's automated measures stop them. Of course this shouldn't really be the case, since outlook.com has those internal tracking headers even with a null sender, but, well, it's already been established that Microsoft is falling down on the job.

Finally, there's an obvious answer: spammers are simply saving themselves the effort of coming up with sender addresses, especially ones that won't trip over SPF or DMARC or whatever policies, or hit other issues. I don't think I've ever seen a spam of this nature that wants you to reply to the sending address; when they want email replies at all, the spam has a Reply-To: to somewhere else (and if the From: matters, that can be forged). Given that outlook.com lets the spammers use the null sender, well, that gets them out of that little bit of work.

(Of course all of this is empty theorizing about something I'll probably never have the answer to. But the whole situation bugs me, as you can probably tell. And if spam from null senders is going to trend up in general, that's going to affect mail filtering systems.)


Comments on this page:

I suspect that the Null Reverse Path "<>" is more used to reduce the Joe Jobing effect.

It's my experience that people only REALLY complain when they are being Joe Jobed. Otherwise, people will just send messages to the Spam / Trash folder.

Ultimately, using the NRP is trivial, and it probably has a measurable effect on sending statistics. So ... why not?

Further, it does complicate MTA level black listing / RBL processing of the SMTP Mail From address. So they probably get past simple / naive filters.

Written on 27 October 2015.
« The null sender spammers now seem to be entrenched on outlook.com
System V was kind of backwards for a long time »

Page tools: View Source, View Normal.
Search:
Login: Password:

Last modified: Tue Oct 27 00:33:12 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.