Suspicious incoming mails

Problem reported by Nageswara Rao Anumolu - 7/15/2025 at 11:45 PM

Submitted

My users receiving lot mails from no-reply@mydoman.

senderEmail(2): no-reply@****group.org parsed using: "****group ." <no-reply@****group.org> is being treated as from: no-reply@****group.org which is wrong.

These message are getting quarantined by ClamAV. What if the mail passes ClamAV and goes to customer inbox/spam ?

How to reject these mails reaching the spool ?

EMail Header

Return-Path: <>

Received: from [10.88.0.3] (17.205.73.34.bc.googleusercontent.com [34.73.205.17]) by mx-ids-4.idslinfo.com with SMTP;

Wed, 16 Jul 2025 08:50:10 +0530

Content-Type: multipart/related; boundary="===============1753619820824428618=="

MIME-Version: 1.0

From: "****group ." <no-reply@****group.org>

To: *********@****group.org

Subject: =?utf-8?q?**Action_Required=3A_Your_Mailbox_is_full?=

X-Priority: 2

Message Text

Message from Trusted server.

Greetings from .com Team.

Your Mailbox is full

UsageUpgrade

92% of 999 GB

The email reception for the account ( *********@****group.org ) will be blocked as soon as the mailbox storage size exceeds the allocated storage. We suggest following the below to upgrade and allocate additional storage for free.

UPGRADE

Thanks,

.com Team 2025.

SMTP Logs

[2025.07.16] 08:50:09.631 [34.73.205.17][43389284] Connection initiated

[2025.07.16] 08:50:09.637 [34.73.205.17][43389284] rsp: 220 mx-ids-4.idslinfo.com

[2025.07.16] 08:50:09.638 [34.73.205.17][43389284] connected at 7/16/2025 8:50:09 AM

[2025.07.16] 08:50:09.638 [34.73.205.17][43389284] Country code: US

[2025.07.16] 08:50:09.852 [34.73.205.17][43389284] cmd: ehlo [10.88.0.3]

[2025.07.16] 08:50:09.857 [34.73.205.17][43389284] rsp: 250-mx-ids-4.idslinfo.com Hello [34.73.205.17]250-SIZE 104857600250-AUTH PLAIN250-STARTTLS250-8BITMIME250-SMTPUTF8250-DSN250 OK

[2025.07.16] 08:50:10.072 [34.73.205.17][43389284] cmd: mail FROM:<> size=12821

[2025.07.16] 08:50:10.078 [34.73.205.17][43389284] senderEmail(1):

[2025.07.16] 08:50:10.090 [34.73.205.17][43389284] rsp: 250 OK <> Sender ok

[2025.07.16] 08:50:10.090 [34.73.205.17][43389284] Sender accepted. Weight: 0. Block threshold: 30.

[2025.07.16] 08:50:10.306 [34.73.205.17][43389284] cmd: rcpt TO:<*****@****group.org>

[2025.07.16] 08:50:10.308 [34.73.205.17][43389284] rsp: 250 OK <*****@****group.org> Recipient ok

[2025.07.16] 08:50:10.523 [34.73.205.17][43389284] cmd: data

[2025.07.16] 08:50:10.523 [34.73.205.17][43389284] Performing PTR host name lookup for 34.73.205.17

[2025.07.16] 08:50:10.523 [34.73.205.17][43389284] PTR host name for 34.73.205.17 resolved as 17.205.73.34.bc.googleusercontent.com

[2025.07.16] 08:50:10.529 [34.73.205.17][43389284] rsp: 354 Start mail input; end with <CRLF>.<CRLF>

[2025.07.16] 08:50:10.744 [34.73.205.17][43389284] senderEmail(2): no-reply@****group.org parsed using: "****group ." <no-reply@****group.org>

[2025.07.16] 08:50:10.777 [34.73.205.17][43389284] DMARC Results: Skipped (No Return Path), Reason: Unknown, Reject? False

[2025.07.16] 08:50:10.777 [34.73.205.17][43389284] rsp: 250 OK

[2025.07.16] 08:50:10.785 [34.73.205.17][43389284] Received message size: 12824 bytes

[2025.07.16] 08:50:10.786 [34.73.205.17][43389284] Successfully wrote to the HDR file. (d:/SmarterMail/Spool/SubSpool2/611974449166.hdr)

[2025.07.16] 08:50:10.786 [34.73.205.17][43389284] Data transfer succeeded, writing mail to 611974449166.eml

[2025.07.16] 08:50:10.992 [34.73.205.17][43389284] cmd: quit

[2025.07.16] 08:50:10.992 [34.73.205.17][43389284] rsp: 221 OK

[2025.07.16] 08:50:10.992 [34.73.205.17][43389284] disconnected at 7/16/2025 8:50:10 AM

3 Replies

Reply to Thread

Douglas Foster Replied

7/16/2025 at 5:59 AM

This is not really a bug by most interpretations, but it does expose the holes in many email defense systems.

First, it uses a null sender (SMTP Mail From is empty). Spammers have discovered that this is a powerful tool for confusing email filtering software that puts a lot of emphasis on the Mail From address and not much importance on the message From address. Most legitimate messages with null sender should be non-delivery notices, but I have seen an occasional exception .

A null sender SHOULD mean "this is an automatically-generated message on behalf of the entity in the From address." Therefore, when the sender is null, it is very appropriate to use the From address to perform an SPF check, This also requires performing the SPF check in Declude, after the whole message has been received, rather than in SmarterMail during the SMTP session. This blocks most all of my incoming attacks that use null sender. (Many will note that this is NOT how the SMTP specification says you should handle a null sender. I am saying that the specification is simply wrong. Choose whom to believe.)

It is also very useful to perform a DMARC check on all messages. I use the default setting of relaxed alignment. (To reduce overhead, I don't even look for the senders DMARC policy, because I always perform the test, always ignore the configured disposition rule, and don't think the distinction between strict and relaxed alignment matters very much.)

Using these approaches, the message would have produced something other than PASS for both SPF and DMARC. Impersonation is only ruled out when the result is PASS, so this impersonation test would have failed both tests using my scheme.

Both SPF and DMARC will produce results other than PASS for many legitimate messages, so you need a safe way to override, based on underlying identifiers that are verified. For SPF, the local policy rule produces SPF-equivalent PASS when the host name is verified by forward-confirmed DNS and the host domain is determined to be the source of legitimate messages for the Mail From domain. The DMARC-equivalent rule says that a verified Mail From domain is determined to be a legitimate source of messages for a particular message From domain (even though the relationship between the two is something other than same-organization.)

Some of these null sender attacks will pass my SPF and DMARC tests, so I have an additional rule in Declude to block messages with (a) null sender, (b) no return-path header field, and (c) from domain is not in my allowed list. The beauty of Declude is that it can enforce a rule based on multiple criteria occurring together.

To get all this done, I use Python code for SPF, DMARC, and forward-confirmed DNS tests. All of it is based on freeware with minor customizations. Most of my local policy is implemented using stored procedure calls to a SQL database. Some things are still done with Declude filters because Declude does regular expressions well and SQL Server does not. All of the code available on request.

John Quest Replied

7/19/2025 at 9:08 AM

This is not a bug as Doug has said. It is a long known method but is becoming more common.

I actually have a filter that will HOLD a null sender incoming email with listed exceptions.

Remember, if the war on spam were easy, it would be over by now.

In this day and age, email filtering must be a hands on eyes on ordeal, otherwise as you ask, some fufu will get through.

Douglas Foster Replied

7/21/2025 at 4:31 AM

To be specific, here are my two Declude filters:

*** NULLISOK filter **** (Any match indicates a sender is not null or null sender is plausible)

MINWEIGHTTOFAIL 1

MAXWEIGHT 1

MAILFROM 1 CONTAINS @ # Sender is not null

ALLRECIPS 1 CONTAINS <redacted> # BATV encoding from my gateway indicates valid bounce

TESTSFAILED 1 CONTAINS DKIMCHK-SIGNEDOK # DKIM test result on the From address is PASS

TESTSFAILED 1 CONTAINS FROMTESTPASS # SPF test result on the From address is PASS

HEADERS 1 CONTAINS auto-submitted # Header indicates a normal bounce messages

*** NULLSender filter *** (When all rules match, null sender is not acceptable)

MINWEIGHTTOFAIL 3

MAXWEIGHT 3

MAILFROM 2 NOTCONTAINS @

TESTSFAILED 1 NOTCONTAINS NULLISOK

Back to Community Threads

Please leave this box unchecked

Reply to Thread

Enter the verification text