The null sender spammers now seem to be entrenched on outlook.com

October 26, 2015

A bit over a month ago I wrote about how spam from outlook.com had started showing up with a null sender address (a MAIL FROM of '<>'). It will probably not surprise you to hear that this spam has continued, and in fact has likely intensified. Based on what I've seen in our logs and in a spamtrap that I enabled in order to collect samples of this spam, a number of spammers appear to have worked out that Microsoft will let them get away with this and are happily spamming away.

(One of the spam samples I captured was a reasonably targeted phish spam, which makes me even more annoyed with Microsoft.)

Our anti-spam appliance keeps logs, of course, and this gives me a way to assess just how much null sender spam has been showing up here. Based on logs from the past ten full days, it breaks down like this:

  • 490 null sender messages sent to us from .protection.outlook.com hosts, out of 2,570 messages from them in total. So about one in five.

  • 249 had a 90% or higher spam score; 30 had one in the 80% range and 17 in the 70% range, which is roughly our cutoff for scoring something as spam. So more than half were spammy enough that our system saw them as clear spam.

  • Out of the outlook.com messages without null senders, only 23 scored 90% or higher, 16 in the 80% band, 4 in 70%, and 3 in 60%. In fact, 1860 of the 2080 scored under 10%.

Now, this doesn't mean that our anti-spam appliance has scored these correctly either way (and in fact I suspect that almost all of the null sender messages were actually spam). But it does strongly suggest that the messages with null senders are very much skewed towards spam instead of legitimate email (and obvious spam at that), and thus that this is a signal that Microsoft should be looking at and doing something about. If they cared and paid attention, that is. Which they clearly don't.

(Someday they will, when sufficiently many spammers figure this particular trick out that the wave of spam becomes a real problem for Microsoft. But that's probably going to take a while and in the mean time Microsoft's corporate indifference is subjecting the rest of us to a steadily increasing barrage of spam from their servers.)


Comments on this page:

By gurubert@gurubert.de at 2015-10-26 05:04:35:

Do you reject the identified SPAM mail in the SMTP dialog so that Microsoft has to deal with the crap? Or do you accept and tag it so your users have to deal with it?

By cks at 2015-10-26 08:21:06:

It depends on what users have opted into; we don't have a political mandate to do rejection at SMTP time for everyone. Only some people have opted into SMTP-time rejection (although it turns out that some of them are probably among our most heavily spammed users).

The stats here are for our general mail scan that happens after we've accepted the mail message (for technical reasons we may scan twice; some more details of our server-side anti-spam stuff are here). I just looked at quick stats for the SMTP time filtering we may do and they look roughly the same except that null-sender email is about 40% of all email from protection.outlook.com hosts.

(A bit more on the political mandate issue is here.)

Written on 26 October 2015.
« More on chroot()'s history, and my blind spot about System III
Some theories about what spammers get out of using null sender addresses »

Page tools: View Source, View Normal, Add Comment.
Search:
Login: Password:
Atom Syndication: Recent Comments.

Last modified: Mon Oct 26 00:42:10 2015
This dinky wiki is brought to you by the Insane Hackers Guild, Python sub-branch.