KB - How come the sender address is different in Outlook and in ORF?

Emails have two type of sender addresses: the first is called the SMTP envelope sender address, which is submitted by the sender server in the MAIL FROM: command during the SMTP transport – this is what ORF works with and logs. The other is called the MIME sender address, which is stored in the email header and this is what your email client (e.g., Outlook) shows.

These two addresses match in most cases, but not necessarily: it is absolutely legal to use different SMTP and MIME address information. The Bcc: addressing, mailing lists, CRM software and other systems with automatic bounce-handling often take advantage of this.

Spammers also tend to use different SMTP and MIME sender addresses to confuse the recipient, for example using the recipients own address as the MIME sender address, so it seems the user received the spam from his own address. To blacklist such spam, you should use a Keyword Blacklist expression which checks the MIME header instead of the Sender Blacklist. For detailed instructions, read the Other campaigns: MIME sender spoofing section of our related article).