Question about different versions of Outlook/express as indicatedin the X-mailer line
"F. H. Muffman" wrote:
Yes it does, if we are talking about e-mail SPAM, which I am.
How do you know it was 'forged'? How do you know that the email
was *not* created by the application in question?
Because it was direct-to-MX, from an IP address listed on a DNSRBL,
and because of the nature of the payload (bitmap drug spam).
When you're talking about zombie-spam, you're talking about a
customized SMTP engine where the spammer has designed the spam to look
legit.
Consider this. I run an SMTP server for a small corporate domain. I
don't have an MX record! Why? Because my A-record points to my SMTP
server. Under SMTP rules, MX lookup failures are supposed to fall
back to the domain's A-record. So bingo, I continue to receive mail.
But guess what - about 75% of zombies don't follow the rules, so when
they get an MX lookup failure for my domain they chug right along and
send out the next spam to the next recipient.
Ok, so 25% of zombie spam gets through. But in my case, 1/2 of that
has "The Bat" in the X-mailer line. So guess what I do - yup - that
stuff goes right into my spam folder.
Of the remaining stuff, I have a few dozen rules, most of it based on
what's in the header, and some of that is the OE version.
Now I can easily check all of my 60k e-mails going back to 1997 and
see if any new spam detection rule would turn up positive on a "good"
e-mail that I've received in the past.
I'm seeing some of these OE versions where the version is something
like 5.00 or 5.50 and either I've never gotten a "good" e-mail with
that version, or that last time I did get a good e-mail was maybe 4 or
5 years ago - so I consider the odds that I'm going to get another
valid e-mail from someone that hasn't updated their computer for 5
years. If the spammers want to help me that much by forging their
spam with such an old version of OE then why not take advantage of it?
|