Blocking spam emails with hidden or missing From address

There indeed seems to be going around some junk emails which result in broken Outlook user interface elements when it comes to recognizing the From address.

Most noticeable issues are;

• Outlook for Windows
  • The Junk command is displayed but doesn’t do anything.
  • No Contact options are shown when right clicking on the From field in the Reading Pane.
  • The Contact Card does not contain an email address.
• Outlook on the Web and the New Outlook for Windows
  • The Block command is not available.
  • The Contact Card doesn’t open when hovering over the name in the From field in the Reading Pane.

I personally received some as well and not all of them were filtered out by the (Exchange Online) Junk Email Filter either.

Luckily, with a workaround, you can still successfully block these emails.

Internet Message Header; What is going on?

As always, when I encounter a “curious” message (and especially when it bypasses the Junk Email Filter), the first thing I do is looking at the Message Header.

You can do this in the following way;

• Outlook for Windows
  Double click on the message to open it in its own window-> File->  Properties-> field: Internet headers
• Outlook on the Web and Outlook.com
  In the Reading Pane, click the 3 dots menu which is in the same line as the Reply, Reply All, and Forward button-> View-> View Message Details

To more easily analyze it, copy/paste the contents from that field into Notepad.

Since we are dealing with a “missing” From address, search for: From:
(Yes, that is followed by a colon and a space)

In some cases, you might now see that there actually is a From address specified, but it might not look as expected.

For the affected Junk Emails I received, they had From fields similar to the ones below;

• From: =?UTF-8?B?UXVpY2tib29rcyBQYXltZW50cw==?= ,-<hidden@example.com>
• From: AARON RAMSEY
• From: outlook.com<Microsoft365 Secure>
• From: "Hill" <@example.com>

Part of a Message Header with a suspicious From field.

Analysis of the broken From headers

OK, things get a bit more technical from here. If you want, feel free to skip this part and directly go to one of the 2 workarounds.

Looking at the first example, the beginning of the found From header in our example looks interesting but it is “merely” a Base64 encoded UTF-8 string. Decoded it says; Quickbook Payments

The breaking part happens in the second part where a comma and a dash character is directly in front of the opening angle bracket (no space in between).

For the remaining 3 examples it is a bit more obvious why they don’t show a From email address; They simply don’t contain a valid one.

For reference, it most cases, it normally looks like this;
Display Name <email address>

Or it simply only shows an email address without a display name and without enclosing the email address in angle brackets.

Bug, feature request, or more aggressive scanning needed?

I’ve asked the Outlook Team and the Exchange Team for clarification regarding the handling of messages with this malformed (not RFC compliant?) From addresses.

In their defense; The bottom 3 examples were successfully filtered out as spam, so I’m not really bothered with those.

So more specifically, I requested whether the first example can also be properly recognized as spam and additionally whether to make the Outlook user interface more resilient and robust so it will still recognize the SMTP address and not break, amongst others, the Contact Card and Junk Email end-user features.

Workaround 1: Block specific sender

Now that you’ve found the actual From address, we can block it but unfortunately not by adding it to the Block Senders list as Outlook doesn’t recognize the From address.

Instead we can block it by using a Message Rule which looks for the address in the Message Header.

1. Open the Rules and Alerts dialog;
   File-> Manage Rules & Alerts
2. New Rule…
3. Start from a blank rule: Apply rule on messages I receive
4. Condition: With specific words in the message header
   • In the bottom section, click on “specific words” to specify the address that you found in the message header.
5. Action: move it to the specified folder
   • In the bottom section, click on “specified” to select your Junk Email folder.
6. Action: stop processing more rules
7. Click Next until you finish the Rules Wizard.

If you want to do this in Outlook on the Web, Outlook.com or the New Outlook for Windows, you can create rules via;

• Gear icon in the top right-> View all Outlook settings-> section Mail-> Rules-> Add new rule-> Condition: Message header includes

Note: Don’t be bothered with emails that are already filtered into the Junk Email folder; Only focus on what’s still coming into your Inbox.

Workaround 2: Block most future senders

Instead of blocking this kind of spam per email address, you might prefer something more generic so that all future spam from other email addresses are blocked as well. After all, spammers don’t usually reuse email addresses but they do reuse tactics (for a certain period of time at least).

Again, in this case we’re only going to focus on the first example as the other 3 examples were filtered out correctly already.

You might think at first to block it based on the encoded Display Name, but that is actually more common than you think, even for legitimate emails.

For instance, names of people which are not based on the ASCII characters are encoded. Another example is where the display name contains symbols. The newsletter from Lego for instance uses the “Registered” character (®) in the display name and uses a Base64 encoded UTF-8 string to do so.

So when looking for another generic marker within the first example, the character combination which actually “broke” the Junk Email Filtering and Contact Card feature within Outlook was; ,-<

As this is not a common character combination to find in the entire message header of other messages either, it is relatively safe to use this as a trigger to Junk the message.

Obviously, when your non-filtered messages contain different generic marker(s), use that or those instead.