Question about different versions of Outlook/express as indicated in theX-mailer line

[Mail Man]

I've been identifying some spam based on what appears on the X-mailer
line. I don't use Outlook or OE as an e-mail client. I'm focusing on
spammers who construct (forge) e-mail headers to make the e-mails
appear legit, which frequently means that they construct spams that
appear to have been sent by Outlook or OE.

For example, I'm seeing this in some recent spam:

X-Mailer: Microsoft Outlook Express 5.50.4922.1500

Of my entire e-mail inventory (about 60k e-mails going back to 1998 -
most of it being spam) I have about 2 dozen e-mails (all of them spam)
with the above X-Mailer line.

The first occurrance of that version in my e-mail inventory was in
August 2005, and the most recent was today.

Is 5.50.4922.1500 a valid version of Outlook Express, and if so when
would it have been a current version?

Is there a chronological list of OE versions?

 

[PA Bear]

...I don't use Outlook or OE as an e-mail client. I'm focusing on

spammers who construct (forge) e-mail headers to make the e-mails
appear legit, which frequently means that they construct spams that
appear to have been sent by Outlook or OE.

I assume you meant "news message headers" and "news post" above.

X-Mailer: Microsoft Outlook Express 5.50.4922.1500

Translation: Message was sent using OE5.5 SP2. The version above
corresponds not to OE (msimn.exe) but MSOE.DLL. Nevertheless, you can
somewhat determine the version of OE by comparing the version of MSOE.DLL in
the headers to the IE versions listed in
http://support.microsoft.com/?kbid=164539; e.g., v6.00.2900.nnnn corresponds
to OE6 running in WinXP SP2; v6.00.2800.nnnn corresponds to OE6 in WinXP
SP1; etc.

Outlook (OL) doesn't natively handle NNTP news; instead, it invokes OE,
usually as /news only.

IOW, the version of MSOE.DLL you see in the headers doesn't mean the message
was constructed in any "forged" manner; it simply reflects the version of OE
(MSOE.DLL, specifically) used to post the message.

 

[DL]

A simple google would have led to
http://support.microsoft.com/kb/330994#top

IE 5.5 Sp2 15 Oct 2002

 

[Mail Man]

I assume you meant "news message headers" and "news post" above.

No, I don't mean usenet or news messages. I said e-mail, and I meant
e-mail, as in SMTP. Spam is usually associated with e-mail.

IOW, the version of MSOE.DLL you see in the headers doesn't mean
the message was constructed in any "forged" manner;

Yes it does, if we are talking about e-mail SPAM, which I am.

 

[F. H. Muffman]

No, I don't mean usenet or news messages. I said e-mail, and I meant
e-mail, as in SMTP. Spam is usually associated with e-mail.


Yes it does, if we are talking about e-mail SPAM, which I am.

How do you know it was 'forged'? How do you know that the email was *not*
created by the application in question?

 

[N. Miller]

I assume you meant "news message headers" and "news post" above.

You know what they say about "assume"...

Translation: Message was sent using OE5.5 SP2.

If you can trust the "X-Mailer:" line in the message. OP knows it to be
spam, which makes that line a likely forgery. If '5.50.4922.1500' was never
put into an email header, then that is certainly a forgery, and was not
created by a legitimate MSFT product.

The version above corresponds not to OE (msimn.exe) but MSOE.DLL.
Nevertheless, you can somewhat determine the version of OE by comparing the
version of MSOE.DLL in the headers to the IE versions listed in
http://support.microsoft.com/?kbid=164539; e.g., v6.00.2900.nnnn corresponds
to OE6 running in WinXP SP2; v6.00.2800.nnnn corresponds to OE6 in WinXP
SP1; etc.

That link could prove helpful. I see the MSOE headers in spam, and I *know*
that the spammer did not use MSOE to send it. I have often wondered, myself,
if there was a way to detect when a spammer forged "X-Mailer:" header line
was included in a spam message.

Here are some "X-Header" lines from a recent spam to my landlady's account:

| X-MSMail-Priority: Normal
| X-Mailer: Microsoft Outlook Express 6.00.3790.2663
| X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.2757
| X-UC-Weight: [## ] 133
| X-CC-Diagnostic: Header X-SPAMWALL matches "*SPAM detected!*" (50),

Mercury/32, my MTA (sort of like Exchange, you know?) tagged it with the
"X-UC-Weight" and "X-CC-Diagnostic" header lines; but I have often wondered
if there was a way to configure the Mercury/32 Content Checker (the "CC"
reference in the "X-CC-Diagnostic" line) to detect a forgery based on the
combination of "X-Mailer" and "X-MimeOLE" lines added by the spammer's
software.

Outlook (OL) doesn't natively handle NNTP news; instead, it invokes OE,
usually as /news only.

Which doesn't apply because the OP is asking about the actuall version
numbers used by MSFT in the mail client; as a way of verifying whether the
"X-Mailer:" header line can be trusted as legit, or treated as a spammer
forgery.

Keep in mind, MSOE, itself, *can't* test "X-Heaer-Lines" in email rules. OP
is *not* using MSOE, but *is* using an email client which *can* test the
"X-Header-Lines" in email. He just wants a list of known valid MSOE version
numbers for rules checking.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

 

[N. Miller]

How do you know it was 'forged'? How do you know that the email was *not*
created by the application in question?

Here is a link to some spam I received (to a 'pacbell.net' email account')
purportedly composed using MS Outlook Express 6:

http://www.spamcop.net/sc?id=z1472060570z82c545dbf83a4beabc6774e8cf5961cdz

SpamCop.net wants to notify the provider whose customer is listed as having
an open proxy. Using MSOE to spam through open proxies is inefficient, and
risky (because MSOE can be set to pop up a warning to the user that somebody
is trying to "send as user"). Better to use a purpose built spam engine, and
configure said spam engine to emulate a popular email client.

Look carefully at the "X-Mailer" header line in that spam:

| X-Mailer: Microsoft Outlook Express 6.00.2900.3028

Then look at PA Bear's link:

| 6.00.2800.1106 Internet Explorer 6 Service Pack 1 (Windows XP SP1)
| 6.00.2900.2180 Internet Explorer 6 for Windows XP SP2
| 6.00.3663.0000 Internet Explorer 6 for Windows Server 2003 RC1

I would judge that piece of spam to have a fraudulent "X-Mailer" header
line. However, it could be a forgery, if it matched the MSFT KB article,
*and* had other signs of forgery.

If you follow the SpamCom.net parse in the email message I linked, you will
see that SpamCop.net suspects the "Received" header line right below the one
stamped by my domain ('pacbell.net') gateway mail server
('flpi090.prodigy.net').

The email client which downloaded this email from
'mta108.sbc.mail.re3.yahoo.com' (my POP3 server; configured in the client
as, 'pop.att.yahoo.com') is the "Mercury Distributing POP3 Client", a
component of the "Mercury/32" MTA (a mail server application; roughly
similar to MS Exchange). It added some "X-Header" lines of its own:

| X-UC-Weight: [### ] 5123
| X-CC-Diagnostic: Header Authentication-Results contains "domainkeys=neutral" (5),
| Header "X-YahooFilteredBulk" Exists (50), Header "X-Header-Overseas" Exists (19),
| Header "X-Header-Overseas" Exists (0), RIPE (22), Bogon-10x,11x (28)
| X-Text-Classification: spam [Mercury/32 CC]

The diagnostic comments show which "X-Headers" were checked by the
Mercury/32 "Content Checker". Try and get MS Outlook Express to check
"X-Headers". Indeed, if I needed to use MSOE with Mercury/32, I'd have to
configure Mercury/32 to add a [***SPAM***] tag to the "Subject" line in
order to give MSOE somehing to filter on. The client I do use, Pegasus Mail
(a companion product to Mercury/32) *can* check the "X-Header" lines, and so
can filter email on the "X-Text-Classification: Spam [Mercury/32 CC]" header
line. The Mozilla clients, Eudora, and any other capable mail client can
also check against that header line.

I certainly could add a filter rule to check for "X-Mailer: Microsoft
Outlook Express 6.00.2900.3028", and shunt any email with that line to a
"Bulk" folder. But I will work up a rule which checks for legitimate MSFT
versions, instead. A rule which will skip the rule action on a match, but
execute the rule action on no match, instead. Assuming I find spam evading
the current filter set, but which has the wrong version information.

Note to PA Bear: Thanks for the version information link. I have bookmarked
it for reference.

--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.

 

[Mail Man]

How do you know it was 'forged'? How do you know that the email
was *not* created by the application in question?

Because it was direct-to-MX, from an IP address listed on a DNSRBL,
and because of the nature of the payload (bitmap drug spam).

When you're talking about zombie-spam, you're talking about a
customized SMTP engine where the spammer has designed the spam to look
legit.

Consider this. I run an SMTP server for a small corporate domain. I
don't have an MX record! Why? Because my A-record points to my SMTP
server. Under SMTP rules, MX lookup failures are supposed to fall
back to the domain's A-record. So bingo, I continue to receive mail.
But guess what - about 75% of zombies don't follow the rules, so when
they get an MX lookup failure for my domain they chug right along and
send out the next spam to the next recipient.

Ok, so 25% of zombie spam gets through. But in my case, 1/2 of that
has "The Bat" in the X-mailer line. So guess what I do - yup - that
stuff goes right into my spam folder.

Of the remaining stuff, I have a few dozen rules, most of it based on
what's in the header, and some of that is the OE version.

Now I can easily check all of my 60k e-mails going back to 1997 and
see if any new spam detection rule would turn up positive on a "good"
e-mail that I've received in the past.

I'm seeing some of these OE versions where the version is something
like 5.00 or 5.50 and either I've never gotten a "good" e-mail with
that version, or that last time I did get a good e-mail was maybe 4 or
5 years ago - so I consider the odds that I'm going to get another
valid e-mail from someone that hasn't updated their computer for 5
years. If the spammers want to help me that much by forging their
spam with such an old version of OE then why not take advantage of it?

 

[Mail Man]

Here's some recent examples.

In the past 2 days, I've gotten about a dozen spams with the following
versions of OE indicated on the X-Mailer line. I'm also listing the
first and last time I received a valid (good) e-mail with the same OE
version, as well as the cumulative number of spams in 2006 and 2007
with that OE version.

X-Mailer contains 5.50.4133.2400
last good = June 2004, first good = Jan 2001
26 spams 2007, 64 spams 2006

X-Mailer contains 6.00.2600.0000
last good = May 2006, first good = Feb 2002
36 spams 2007, 183 spams 2006

X-Mailer contains 6.00.2800.1106
last good = June 2007, first good = sept 2002
147 spams 2007, 139 spams 2006

X-Mailer contains 6.00.2800.1158
last good = june 2007, first good = July 2003
21 spams 2007, 129 spams 2006

I typically combine the following in a filter rule:

X-mailer is (or contains) X
X-MimeOLE is (or contains) Y
Content-Type contains Z

For example:

When X = Produced By Microsoft MimeOLE V6.00.2900.3028
When Y = Microsoft Outlook Express 6.00.2900.3028
When Z = multipart/related

Then the only e-mails I have that match the above 3 criteria are 78
spams, all received on or after April 2007.

The Content-Type rule (multipart/related) is very useful to
differentiate between good mail and spam when combined with rules for
specific OE versions.

 

[PA Bear]

I typically combine the following in a filter rule...

What application are you using to filter incoming mail, MM?

 

[Mail Man]

What application are you using to filter incoming mail, MM?

The same one I use for usenet -

Netscape Communicator 4.79.

It allows for the creation of new header identifiers and then I can
search or filter for those identifiers (I have several dozen header
identifiers based on what I've seen in real e-mails and spam over the
years, many of them being "X-this" or "X-that"). I can search or
filter the "Received:" lines looking for e-mail (or spam) send
directly to my server from specific IP addresses, etc. The search and
filter capability allows me to group 5 different items (like - Subject
has "abc" AND X-Mailer has "The Bat" AND ... etc).

Please remove the Outlook group as this is clearly not related.
Thanks.

I suggest all future replies beyond this one remove the .outlook
group.