Message not getting Blocked at SMTP
Problem reported by kevind - 6/2/2026 at 7:46 PM
Known
Reviewing some messages in Junk folder with a scores of 40+ points. The header shows:
        Reverse DNS Lookup [ForwardFailed]: 20, Null Sender: 20, etc.

If we have SMTP reject set to 30 points, I thought this message would get blocked at SMTP? Let me know what I'm missing.
Thanks!
J. LaDow Replied
The delivery logs (if set to detailed) should show what SM is doing to the message with that rule processing and scoring.

I ran into this dealing with a separate issue and I'll look at our settings to see what I finally setup that got it "rejecting" at the SMTP level for things like reverse DNS and others.

-- it may take me a little bit but I'll post what we have shortly.


MailEnable survivor / convert --
kevind Replied
Changed this from a Question to a Problem as Null Sender is not being used to block messages during SMTP. Here's a sample header that scored 47+ during SMTP, but still got delivered even though SMTP block set to 30.

Return-Path: <>
Received: from euynqy.xyz (euynqy.xyz [194.169.163.254]) by SM-GATEWAY
    with SMTP(version=TLS\Tls12cipher=Aes256 bits=256);
    Mon, 15 Jun 2026 12:34:18 -0400
Received: from euynqy.xyz (euynqy.xyz [194.169.163.254]) by SM-GATEWAY with SMTP
    (version=TLS\Tls12
    cipher=Aes256 bits=256);
   Mon, 15 Jun 2026 12:34:18 -0400
X-SmarterMail-SpamAction: Medium | MoveToFolder
X-SmarterMail-TotalSpamWeight: 57
X-SmarterMail-Spam: DMARC [skipped - No Return Path]: 0, Reverse DNS Lookup [ForwardFailed]: 15, Null Sender: 20, ISpamAssassin [raw:1.4]: 2, SPF [None]: 5, DKIM [None]: 3, _ARC: none,  A: 2, R: 10, etc.
Tony Scholz Replied
Employee Post
Hello,

There’s a known issue with the Null Sender not being applied to the `Inbound SMTP` weight. The fix for this is currently being tested and should be included in the next release.

Thanks,
Tony Scholz
Lead Network/System Administrator
SmarterTools Inc.
kevind Replied
Great!
Thanks, Tony, for confirming this is a known issue.
John Quest Replied
CAUTION: Email servers are required to accepting incoming email from NULL senders.

There are very real valid reasons why NULL senders (return path) must be accepted, as those are specifically required for such things as bounce messages, non-delivery messages, and so forth.

RFC 5321
kevind Replied
Email servers are required to accepting incoming email from NULL senders???
NULL senders (return path) must be accepted???

This can't be true. Spammers would do this all the time as it's an open door...
David Fisher Replied
@kevind 

  What @John Quest is saying, is you cannot terminate the SMTP session once you say MAIL FROM:<> you have to allow it to continue and accept the DATA entry, unless something else made you block it at SMTP level (Before the DATA), like not passing SPF, or RDNS.

  It is not right to put a SMTP Block on NULL Sender.  You can add points and block it after the session ends though.
John Quest Replied
This can't be true.

@kevind Did you read the RFC?

@David Fisher Thanks for clarifying. Correct, you must not drop/close an incoming SMTP session based solely upon it being from a NULL SENDER. You must allow the session to complete. 

@kevind What you do with the written email after the session is complete and the email is fully received, is up to you.

BUT, if you block incoming NULL SENDER or process it after receipt and delete it, you will be missing on critical important notifications, which will include bounce notifications from domains using MimeCast or Office365 and others, who accept all email and then bounce non-existent recipients by creating a separate notification.

Douglas Foster Replied
@kevind  To elaborate
Null senders are designed for use with non-delivery reports.   An infinite loop would be created if a non-delivery report triggered a non-delivery report.   So the specification says that the sender should be left null anytime that a reply might trigger a loop.

In general, it is not abused very much.   Many years ago, there was a wave of attacks based on fake non-delivery reports, but they seem to have fallen out of favor a long time ago.

Note that there are two types of automated messages:   Out-of-office messages are sent by the email system on behalf of the target user.   The From address should be the original recipient address.  I think the sender usually matches the From address, because the system knows that it should only send one out-of-office message per recipient per day..   Non-delivery notices are sent on behalf of the mail system, not the user.  They have a null sender to prevent loops, and the From address is usually postmaster@targetdomain.

So how to handle fakes?
One technique is to use BATV, a technique to prove that a bounce is legitimate, by adding a secret prefix to the user portion of the sender address.   It is an expired IETF draft, meaning an idea that never received official blessing, but it is used.   The Wikipedia link below has a link to the original draft.
Barracuda and Office365 have made proprietary variations of this idea.   Sender Rewriting Scheme (SRS) is a similar technique, and is also referenced in the Wikiepedia article.  It was designed to document a forwarding operation, but it has also seen limited use as an invalid bounce detector.   I have BATV on my messages because I use a Barracuda product, but it has been years since it flagged an invalid bounce.

The SPF specification says that if the sender is null, do the SPF test based on the HELO name.   This is not much different from doing forward-confirmed DNS lookups, and to my mind, it is pretty useless for email security.

My solution:   A null sender asserts to be an automated message on behalf of the From domain, so a more useful test is to treat the From address as the sender address, then do the SPF check on that basis.   Since this is only my idea, you will not find a product that works this way.  But I customized the Python PYSPF module to my liking, and I have been very happy with this solution to the authentication problem.   It was an important detail for me, because I require every message to be authenticated -- unauthenticated messages go to quarantine unless they are blocked for some other reason.  Code available on request.

Hope this helps.

Reply to Thread

Enter the verification text