Summary:

EMF by default does not block email with a NULL From address. Policies can be setup to do so, but:

• they may block mail that is not spam and is desired
• they may not be effectively block spam in all cases

Symptom:

You are receiving a large amount of spam with NULL From addresses.

Detailed Information:

Every message that is sent over the Internet uses the "SMTP" mail protocol. Each SMTP message has what is called the message protocol header, which you the user normally never see. The protocol header (also called the 2821 header, or "envelope") is processed by each mail relay that the message passes through on its way from source to destination. The protocol header contains fields called MAIL FROM and RCPT TO (among others).

What you do see when you open the message in your email client are the standard (also called 2822, or "MIME") headers, like From and To and Subject, and are used by email clients to give you the From and To information.

All internet protocols, like SMTP, are defined by the IETF (http://www.ietf.org/) in papers called RFCs.

RFC 2505 specifically recommends that all SMTP mail relays (and EMF is an SMTP relay at its lowest level) ACCEPT all mail with a NULL 2821 From field. Almost all email that is sent via automation (i.e., someone did not type the message into an email client), like notifications of non-delivery ("nondels" or NDNs), mailing list email, even EMF notifications, have NULL 2821 From fields. RFC 2821 specifically states that all SMTP error notifications must specify a NULL 2821 From.

For these reasons, almost all relays, including EMF, accept such email by default.

Note that an address of the form "<>" is considered a NULL address. In a 2822 From address, all characters outside <> are considered commentary, and the <> are assumed to contain the actual email address, allowing commentary characters (like the sender's full name) to be specified. If there are no commentary characters in a 2822 From address, the <> can be omitted. In a 2821 MAIL FROM address, <> is how a NULL sender address is specified.

EMF policy Catch conditions can test against the address expression *@*, i.e., sender not in *@* implies a NULL sender. In EMF 5.6 and later, both the 2822 From and 2821 Sender can be tested.

Prior to EMF 5.6, the same technique can be used, but it was not possible for a policy to check for a NULL 2821 Sender, only 2822 senders. In this case, if the 2821 From is NULL, the 2822 From may still exist, and such spam would not be blocked. Also note that most spammers spoof the 2822 From address, so that it is non-blank. Other methods, like the EMF Dynamic Anti-spam Service (DAS) option, or the Tumbleweed Mailgate product, must be employed for blocking spam.

In view of the above, Tumbleweed recommends not trying to block spam based on NULL From address. It is better to block spam with other techniques.