![]() |
If this is your first visit, be sure to check out the FAQ by clicking the link above. You may have to register before you can post: click the register link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. |
|
|
|
Thread Tools | Search this Thread | Display Modes |
#1
|
|||
|
|||
![]()
I've been identifying some spam based on what appears on the X-mailer
line. I don't use Outlook or OE as an e-mail client. I'm focusing on spammers who construct (forge) e-mail headers to make the e-mails appear legit, which frequently means that they construct spams that appear to have been sent by Outlook or OE. For example, I'm seeing this in some recent spam: X-Mailer: Microsoft Outlook Express 5.50.4922.1500 Of my entire e-mail inventory (about 60k e-mails going back to 1998 - most of it being spam) I have about 2 dozen e-mails (all of them spam) with the above X-Mailer line. The first occurrance of that version in my e-mail inventory was in August 2005, and the most recent was today. Is 5.50.4922.1500 a valid version of Outlook Express, and if so when would it have been a current version? Is there a chronological list of OE versions? |
Ads |
#2
|
|||
|
|||
![]()
...I don't use Outlook or OE as an e-mail client. I'm focusing on
spammers who construct (forge) e-mail headers to make the e-mails appear legit, which frequently means that they construct spams that appear to have been sent by Outlook or OE. I assume you meant "news message headers" and "news post" above. X-Mailer: Microsoft Outlook Express 5.50.4922.1500 Translation: Message was sent using OE5.5 SP2. The version above corresponds not to OE (msimn.exe) but MSOE.DLL. Nevertheless, you can somewhat determine the version of OE by comparing the version of MSOE.DLL in the headers to the IE versions listed in http://support.microsoft.com/?kbid=164539; e.g., v6.00.2900.nnnn corresponds to OE6 running in WinXP SP2; v6.00.2800.nnnn corresponds to OE6 in WinXP SP1; etc. Outlook (OL) doesn't natively handle NNTP news; instead, it invokes OE, usually as /news only. IOW, the version of MSOE.DLL you see in the headers doesn't mean the message was constructed in any "forged" manner; it simply reflects the version of OE (MSOE.DLL, specifically) used to post the message. -- ~Robear Dyer (PA Bear) MS MVP-Windows (IE, OE, Security, Shell/User) AumHa VSOP & Admin http://aumha.net DTS-L http://dts-l.org/ Mail Man wrote: I've been identifying some spam based on what appears on the X-mailer line. I don't use Outlook or OE as an e-mail client. I'm focusing on spammers who construct (forge) e-mail headers to make the e-mails appear legit, which frequently means that they construct spams that appear to have been sent by Outlook or OE. For example, I'm seeing this in some recent spam: X-Mailer: Microsoft Outlook Express 5.50.4922.1500 Of my entire e-mail inventory (about 60k e-mails going back to 1998 - most of it being spam) I have about 2 dozen e-mails (all of them spam) with the above X-Mailer line. The first occurrance of that version in my e-mail inventory was in August 2005, and the most recent was today. Is 5.50.4922.1500 a valid version of Outlook Express, and if so when would it have been a current version? Is there a chronological list of OE versions? |
#3
|
|||
|
|||
![]()
A simple google would have led to
http://support.microsoft.com/kb/330994#top IE 5.5 Sp2 15 Oct 2002 "Mail Man" wrote in message ... I've been identifying some spam based on what appears on the X-mailer line. I don't use Outlook or OE as an e-mail client. I'm focusing on spammers who construct (forge) e-mail headers to make the e-mails appear legit, which frequently means that they construct spams that appear to have been sent by Outlook or OE. For example, I'm seeing this in some recent spam: X-Mailer: Microsoft Outlook Express 5.50.4922.1500 Of my entire e-mail inventory (about 60k e-mails going back to 1998 - most of it being spam) I have about 2 dozen e-mails (all of them spam) with the above X-Mailer line. The first occurrance of that version in my e-mail inventory was in August 2005, and the most recent was today. Is 5.50.4922.1500 a valid version of Outlook Express, and if so when would it have been a current version? Is there a chronological list of OE versions? |
#4
|
|||
|
|||
![]()
PA Bear wrote:
...I don't use Outlook or OE as an e-mail client. I'm focusing on spammers who construct (forge) e-mail headers to make the e-mails appear legit, which frequently means that they construct spams that appear to have been sent by Outlook or OE. I assume you meant "news message headers" and "news post" above. No, I don't mean usenet or news messages. I said e-mail, and I meant e-mail, as in SMTP. Spam is usually associated with e-mail. IOW, the version of MSOE.DLL you see in the headers doesn't mean the message was constructed in any "forged" manner; Yes it does, if we are talking about e-mail SPAM, which I am. |
#5
|
|||
|
|||
![]()
"Mail Man" wrote in message ...
PA Bear wrote: ...I don't use Outlook or OE as an e-mail client. I'm focusing on spammers who construct (forge) e-mail headers to make the e-mails appear legit, which frequently means that they construct spams that appear to have been sent by Outlook or OE. I assume you meant "news message headers" and "news post" above. No, I don't mean usenet or news messages. I said e-mail, and I meant e-mail, as in SMTP. Spam is usually associated with e-mail. IOW, the version of MSOE.DLL you see in the headers doesn't mean the message was constructed in any "forged" manner; Yes it does, if we are talking about e-mail SPAM, which I am. How do you know it was 'forged'? How do you know that the email was *not* created by the application in question? -- f.h. |
#6
|
|||
|
|||
![]()
"F. H. Muffman" wrote:
Yes it does, if we are talking about e-mail SPAM, which I am. How do you know it was 'forged'? How do you know that the email was *not* created by the application in question? Because it was direct-to-MX, from an IP address listed on a DNSRBL, and because of the nature of the payload (bitmap drug spam). When you're talking about zombie-spam, you're talking about a customized SMTP engine where the spammer has designed the spam to look legit. Consider this. I run an SMTP server for a small corporate domain. I don't have an MX record! Why? Because my A-record points to my SMTP server. Under SMTP rules, MX lookup failures are supposed to fall back to the domain's A-record. So bingo, I continue to receive mail. But guess what - about 75% of zombies don't follow the rules, so when they get an MX lookup failure for my domain they chug right along and send out the next spam to the next recipient. Ok, so 25% of zombie spam gets through. But in my case, 1/2 of that has "The Bat" in the X-mailer line. So guess what I do - yup - that stuff goes right into my spam folder. Of the remaining stuff, I have a few dozen rules, most of it based on what's in the header, and some of that is the OE version. Now I can easily check all of my 60k e-mails going back to 1997 and see if any new spam detection rule would turn up positive on a "good" e-mail that I've received in the past. I'm seeing some of these OE versions where the version is something like 5.00 or 5.50 and either I've never gotten a "good" e-mail with that version, or that last time I did get a good e-mail was maybe 4 or 5 years ago - so I consider the odds that I'm going to get another valid e-mail from someone that hasn't updated their computer for 5 years. If the spammers want to help me that much by forging their spam with such an old version of OE then why not take advantage of it? |
#7
|
|||
|
|||
![]()
Here's some recent examples.
In the past 2 days, I've gotten about a dozen spams with the following versions of OE indicated on the X-Mailer line. I'm also listing the first and last time I received a valid (good) e-mail with the same OE version, as well as the cumulative number of spams in 2006 and 2007 with that OE version. X-Mailer contains 5.50.4133.2400 last good = June 2004, first good = Jan 2001 26 spams 2007, 64 spams 2006 X-Mailer contains 6.00.2600.0000 last good = May 2006, first good = Feb 2002 36 spams 2007, 183 spams 2006 X-Mailer contains 6.00.2800.1106 last good = June 2007, first good = sept 2002 147 spams 2007, 139 spams 2006 X-Mailer contains 6.00.2800.1158 last good = june 2007, first good = July 2003 21 spams 2007, 129 spams 2006 I typically combine the following in a filter rule: X-mailer is (or contains) X X-MimeOLE is (or contains) Y Content-Type contains Z For example: When X = Produced By Microsoft MimeOLE V6.00.2900.3028 When Y = Microsoft Outlook Express 6.00.2900.3028 When Z = multipart/related Then the only e-mails I have that match the above 3 criteria are 78 spams, all received on or after April 2007. The Content-Type rule (multipart/related) is very useful to differentiate between good mail and spam when combined with rules for specific OE versions. |
#8
|
|||
|
|||
![]()
I typically combine the following in a filter rule...
What application are you using to filter incoming mail, MM? -- ~PA Bear Mail Man wrote: Here's some recent examples. In the past 2 days, I've gotten about a dozen spams with the following versions of OE indicated on the X-Mailer line. I'm also listing the first and last time I received a valid (good) e-mail with the same OE version, as well as the cumulative number of spams in 2006 and 2007 with that OE version. X-Mailer contains 5.50.4133.2400 last good = June 2004, first good = Jan 2001 26 spams 2007, 64 spams 2006 X-Mailer contains 6.00.2600.0000 last good = May 2006, first good = Feb 2002 36 spams 2007, 183 spams 2006 X-Mailer contains 6.00.2800.1106 last good = June 2007, first good = sept 2002 147 spams 2007, 139 spams 2006 X-Mailer contains 6.00.2800.1158 last good = june 2007, first good = July 2003 21 spams 2007, 129 spams 2006 I typically combine the following in a filter rule: X-mailer is (or contains) X X-MimeOLE is (or contains) Y Content-Type contains Z For example: When X = Produced By Microsoft MimeOLE V6.00.2900.3028 When Y = Microsoft Outlook Express 6.00.2900.3028 When Z = multipart/related Then the only e-mails I have that match the above 3 criteria are 78 spams, all received on or after April 2007. The Content-Type rule (multipart/related) is very useful to differentiate between good mail and spam when combined with rules for specific OE versions. |
#9
|
|||
|
|||
![]()
PA Bear wrote:
I typically combine the following in a filter rule... What application are you using to filter incoming mail, MM? The same one I use for usenet - Netscape Communicator 4.79. It allows for the creation of new header identifiers and then I can search or filter for those identifiers (I have several dozen header identifiers based on what I've seen in real e-mails and spam over the years, many of them being "X-this" or "X-that"). I can search or filter the "Received:" lines looking for e-mail (or spam) send directly to my server from specific IP addresses, etc. The search and filter capability allows me to group 5 different items (like - Subject has "abc" AND X-Mailer has "The Bat" AND ... etc). "Milly Staples [MVP - Outlook]" wrote: Please remove the Outlook group as this is clearly not related. Thanks. I suggest all future replies beyond this one remove the .outlook group. |
|
Thread Tools | Search this Thread |
Display Modes | |
|
|
![]() |
||||
Thread | Thread Starter | Forum | Replies | Last Post |
reduce spam by sending a mailer-daemon? | cln | Outlook - General Queries | 2 | May 3rd 07 02:54 PM |
Email address line question | eli | Outlook - General Queries | 1 | April 3rd 07 10:17 PM |
I tryed deleting line MAILER-DAEMON in Outllook mail, it didn't wo | Ben from ncaddnj | Outlook - Using Contacts | 0 | September 27th 06 07:12 PM |
japanese outlook 2k is showing question marks in the subject line | mcgauran -- daiwa securities | Outlook - Installation | 1 | June 8th 06 02:18 PM |
Cannot get Outlook Express to connect on line | Blair | Outlook Express | 3 | April 21st 06 06:24 PM |