I've been identifying some spam based on what appears on the X-mailer
line. I don't use Outlook or OE as an e-mail client. I'm focusing on
spammers who construct (forge) e-mail headers to make the e-mails
appear legit, which frequently means that they construct spams that
appear to have been sent by Outlook or OE.

For example, I'm seeing this in some recent spam:

X-Mailer: Microsoft Outlook Express 5.50.4922.1500

Of my entire e-mail inventory (about 60k e-mails going back to 1998 -
most of it being spam) I have about 2 dozen e-mails (all of them spam)
with the above X-Mailer line.

The first occurrance of that version in my e-mail inventory was in
August 2005, and the most recent was today.

Is 5.50.4922.1500 a valid version of Outlook Express, and if so when
would it have been a current version?

Is there a chronological list of OE versions?

...I don't use Outlook or OE as an e-mail client. I'm focusing on
spammers who construct (forge) e-mail headers to make the e-mails
appear legit, which frequently means that they construct spams that
appear to have been sent by Outlook or OE.

I assume you meant "news message headers" and "news post" above.

X-Mailer: Microsoft Outlook Express 5.50.4922.1500

Translation: Message was sent using OE5.5 SP2. The version above
corresponds not to OE (msimn.exe) but MSOE.DLL. Nevertheless, you can
somewhat determine the version of OE by comparing the version of MSOE.DLL in
the headers to the IE versions listed in
http://support.microsoft.com/?kbid=164539; e.g., v6.00.2900.nnnn corresponds
to OE6 running in WinXP SP2; v6.00.2800.nnnn corresponds to OE6 in WinXP
SP1; etc.

Outlook (OL) doesn't natively handle NNTP news; instead, it invokes OE,
usually as /news only.

IOW, the version of MSOE.DLL you see in the headers doesn't mean the message
was constructed in any "forged" manner; it simply reflects the version of OE
(MSOE.DLL, specifically) used to post the message.
--
~Robear Dyer (PA Bear)
MS MVP-Windows (IE, OE, Security, Shell/User)
AumHa VSOP & Admin http://aumha.net
DTS-L http://dts-l.org/


Mail Man wrote:
I've been identifying some spam based on what appears on the X-mailer
line. I don't use Outlook or OE as an e-mail client. I'm focusing on
spammers who construct (forge) e-mail headers to make the e-mails
appear legit, which frequently means that they construct spams that
appear to have been sent by Outlook or OE.

For example, I'm seeing this in some recent spam:

X-Mailer: Microsoft Outlook Express 5.50.4922.1500

Of my entire e-mail inventory (about 60k e-mails going back to 1998 -
most of it being spam) I have about 2 dozen e-mails (all of them spam)
with the above X-Mailer line.

The first occurrance of that version in my e-mail inventory was in
August 2005, and the most recent was today.

Is 5.50.4922.1500 a valid version of Outlook Express, and if so when
would it have been a current version?

Is there a chronological list of OE versions?

A simple google would have led to
http://support.microsoft.com/kb/330994#top

IE 5.5 Sp2 15 Oct 2002

"Mail Man" wrote in message ...
I've been identifying some spam based on what appears on the X-mailer
line. I don't use Outlook or OE as an e-mail client. I'm focusing on
spammers who construct (forge) e-mail headers to make the e-mails
appear legit, which frequently means that they construct spams that
appear to have been sent by Outlook or OE.

For example, I'm seeing this in some recent spam:

X-Mailer: Microsoft Outlook Express 5.50.4922.1500

Of my entire e-mail inventory (about 60k e-mails going back to 1998 -
most of it being spam) I have about 2 dozen e-mails (all of them spam)
with the above X-Mailer line.

The first occurrance of that version in my e-mail inventory was in
August 2005, and the most recent was today.

Is 5.50.4922.1500 a valid version of Outlook Express, and if so when
would it have been a current version?

Is there a chronological list of OE versions?

PA Bear wrote:

...I don't use Outlook or OE as an e-mail client. I'm focusing
on spammers who construct (forge) e-mail headers to make the
e-mails appear legit, which frequently means that they construct
spams that appear to have been sent by Outlook or OE.

I assume you meant "news message headers" and "news post" above.

No, I don't mean usenet or news messages. I said e-mail, and I meant
e-mail, as in SMTP. Spam is usually associated with e-mail.

IOW, the version of MSOE.DLL you see in the headers doesn't mean
the message was constructed in any "forged" manner;

Yes it does, if we are talking about e-mail SPAM, which I am.

"Mail Man" wrote in message ...
PA Bear wrote:

...I don't use Outlook or OE as an e-mail client. I'm focusing
on spammers who construct (forge) e-mail headers to make the
e-mails appear legit, which frequently means that they construct
spams that appear to have been sent by Outlook or OE.

I assume you meant "news message headers" and "news post" above.

No, I don't mean usenet or news messages. I said e-mail, and I meant
e-mail, as in SMTP. Spam is usually associated with e-mail.

IOW, the version of MSOE.DLL you see in the headers doesn't mean
the message was constructed in any "forged" manner;

Yes it does, if we are talking about e-mail SPAM, which I am.


How do you know it was 'forged'? How do you know that the email was *not*
created by the application in question?
--
f.h.

"F. H. Muffman" wrote:

Yes it does, if we are talking about e-mail SPAM, which I am.

How do you know it was 'forged'? How do you know that the email
was *not* created by the application in question?

Because it was direct-to-MX, from an IP address listed on a DNSRBL,
and because of the nature of the payload (bitmap drug spam).

When you're talking about zombie-spam, you're talking about a
customized SMTP engine where the spammer has designed the spam to look
legit.

Consider this. I run an SMTP server for a small corporate domain. I
don't have an MX record! Why? Because my A-record points to my SMTP
server. Under SMTP rules, MX lookup failures are supposed to fall
back to the domain's A-record. So bingo, I continue to receive mail.
But guess what - about 75% of zombies don't follow the rules, so when
they get an MX lookup failure for my domain they chug right along and
send out the next spam to the next recipient.

Ok, so 25% of zombie spam gets through. But in my case, 1/2 of that
has "The Bat" in the X-mailer line. So guess what I do - yup - that
stuff goes right into my spam folder.

Of the remaining stuff, I have a few dozen rules, most of it based on
what's in the header, and some of that is the OE version.

Now I can easily check all of my 60k e-mails going back to 1997 and
see if any new spam detection rule would turn up positive on a "good"
e-mail that I've received in the past.

I'm seeing some of these OE versions where the version is something
like 5.00 or 5.50 and either I've never gotten a "good" e-mail with
that version, or that last time I did get a good e-mail was maybe 4 or
5 years ago - so I consider the odds that I'm going to get another
valid e-mail from someone that hasn't updated their computer for 5
years. If the spammers want to help me that much by forging their
spam with such an old version of OE then why not take advantage of it?

Here's some recent examples.

In the past 2 days, I've gotten about a dozen spams with the following
versions of OE indicated on the X-Mailer line. I'm also listing the
first and last time I received a valid (good) e-mail with the same OE
version, as well as the cumulative number of spams in 2006 and 2007
with that OE version.

X-Mailer contains 5.50.4133.2400
last good = June 2004, first good = Jan 2001
26 spams 2007, 64 spams 2006

X-Mailer contains 6.00.2600.0000
last good = May 2006, first good = Feb 2002
36 spams 2007, 183 spams 2006

X-Mailer contains 6.00.2800.1106
last good = June 2007, first good = sept 2002
147 spams 2007, 139 spams 2006

X-Mailer contains 6.00.2800.1158
last good = june 2007, first good = July 2003
21 spams 2007, 129 spams 2006

I typically combine the following in a filter rule:

X-mailer is (or contains) X
X-MimeOLE is (or contains) Y
Content-Type contains Z

For example:

When X = Produced By Microsoft MimeOLE V6.00.2900.3028
When Y = Microsoft Outlook Express 6.00.2900.3028
When Z = multipart/related

Then the only e-mails I have that match the above 3 criteria are 78
spams, all received on or after April 2007.

The Content-Type rule (multipart/related) is very useful to
differentiate between good mail and spam when combined with rules for
specific OE versions.

I typically combine the following in a filter rule...

What application are you using to filter incoming mail, MM?
--
~PA Bear

Mail Man wrote:
Here's some recent examples.

In the past 2 days, I've gotten about a dozen spams with the following
versions of OE indicated on the X-Mailer line. I'm also listing the
first and last time I received a valid (good) e-mail with the same OE
version, as well as the cumulative number of spams in 2006 and 2007
with that OE version.

X-Mailer contains 5.50.4133.2400
last good = June 2004, first good = Jan 2001
26 spams 2007, 64 spams 2006

X-Mailer contains 6.00.2600.0000
last good = May 2006, first good = Feb 2002
36 spams 2007, 183 spams 2006

X-Mailer contains 6.00.2800.1106
last good = June 2007, first good = sept 2002
147 spams 2007, 139 spams 2006

X-Mailer contains 6.00.2800.1158
last good = june 2007, first good = July 2003
21 spams 2007, 129 spams 2006

I typically combine the following in a filter rule:

X-mailer is (or contains) X
X-MimeOLE is (or contains) Y
Content-Type contains Z

For example:

When X = Produced By Microsoft MimeOLE V6.00.2900.3028
When Y = Microsoft Outlook Express 6.00.2900.3028
When Z = multipart/related

Then the only e-mails I have that match the above 3 criteria are 78
spams, all received on or after April 2007.

The Content-Type rule (multipart/related) is very useful to
differentiate between good mail and spam when combined with rules for
specific OE versions.

PA Bear wrote:

I typically combine the following in a filter rule...

What application are you using to filter incoming mail, MM?

The same one I use for usenet -

Netscape Communicator 4.79.

It allows for the creation of new header identifiers and then I can
search or filter for those identifiers (I have several dozen header
identifiers based on what I've seen in real e-mails and spam over the
years, many of them being "X-this" or "X-that"). I can search or
filter the "Received:" lines looking for e-mail (or spam) send
directly to my server from specific IP addresses, etc. The search and
filter capability allows me to group 5 different items (like - Subject
has "abc" AND X-Mailer has "The Bat" AND ... etc).

"Milly Staples [MVP - Outlook]" wrote:

Please remove the Outlook group as this is clearly not related.
Thanks.

I suggest all future replies beyond this one remove the .outlook
group.