Email Security.cloud

Last night we received a couple of spam e-mails in which my Outlook client showed a "friendly name" for the sender, but then when I opened the messages, the sender had only the "friendly name", with no e-mail address. I went to my Exchange server and ran the Message Tracking tool, searching on the subject lines of the messages. The "Sender" column was empty on multiple messages with those subjects.

I was able to look at the MessageId column and get the domain of the sending smtp server, mail.mcdlv.net, which I have added to our blocked domains, since there wasn't a sending domain in the e-mail headers that I could use.

My question is, why don't the spam filters by default block messages with a blank sender? Just like postal mail that arrives at your house with no return address, it's a sure sign it's junk mail.

Hi Brian,

Because of the way SMTP operates, there are situations where a blank sender is not only accepted, but actually required. Any email that a server sends as an automated response should by RFC standards contain a blank MAIL FROM.  This includes "Out of Office" and "Read"/"Not Read" notifications.  This is prevent an infinite game of Out of Office ping-pong.  Also any NDRs sent by a server should have a blank MAIL FROM for the reason.

Also note that emails have two types of sending address.  The Envelope Sender and the Body Sender.  The Envelope Sender is the address presented as the MAIL FROM by the sending server when communicating to the recipient server.  It is considered the true address.  The body from is simply a line in the email headers that says "From: sender@domain.com".  While in most general correspondence, these addresses match, it is not uncommon for them to be different.  Legitimate cases would be newsletters for instance.  The Envelope Sender will be something like bounces-37484894@newsletterservice.com but the Body From that the recipient sees in their mail client will be something friendly and recognizable like newsletter@myhobby.com.  Spammers will also take advantage of this to obfuscate the sender.  

Lastly, I would note that mcdlv.net belongs to Mail Chimp, a well-known email marketing service.  They have a pretty solid reputation and should be accepting of abuse by their customers.  If the email was sent from their system, their should be abuse contact information in the headers to report it to them.  It is possible that someone illegitimately added you to their marketing list.  Additionally, their may be newsletters sent out from MaiL Chimp that some of your users wish to receive that may be blocked by adding it to your Blocked Senders.  Generally, emails from Mail Chimp should have a sendign email address ending in that domain.  If you were receiving the emails with no Envelope Sender, then blocking the domain wouldn't affect those anyway because the Blocked Senders works on the Envelope Sender address.  It would only block ones where they have included a sending address, which will be along the lines of: bounce-mc.us7_82754725.806393-recipientusername=recipientdomain.com@mail2.atl21.mcdlv.net

Without specific details of the messages you received, this is unfortunately about the most I can provide information wise.  If you would like to send me a Private Message with specific details of the messages in question, I might be able to provide a little more insight into those specific messages.  Ideally, the full internet headers, but even just the subject and recipient address, should let me provide more information.

OK, I just removed that domain from the blocked senders, especially since our e-comm department uses MailChimp for campaigns.

Someone definitely illegitimately added a lot of addresses at my company to marketing lists for "Mother natures red bull" and "Eat this snack before bet to burn fat while you sleep" (those are the two subject lines). I normally get 1 or 2 spams a night, always with weird domains on the sender address like matingroadcord.co (which are obviously "burn domains"). Always about some diet supplement, credit score service, scholarships/grants, even LifeLock. And always to multiple users at our domain.

I'll PM you with more details on the messages.