How do you know it was 'forged'? How do you know that the email was *not*
created by the application in question?
Here is a link to some spam I received (to a 'pacbell.net' email account')
purportedly composed using MS Outlook Express 6:
http://www.spamcop.net/sc?id=z1472060570z82c545dbf83a4beabc6774e8cf5961cdz
SpamCop.net wants to notify the provider whose customer is listed as having
an open proxy. Using MSOE to spam through open proxies is inefficient, and
risky (because MSOE can be set to pop up a warning to the user that somebody
is trying to "send as user"). Better to use a purpose built spam engine, and
configure said spam engine to emulate a popular email client.
Look carefully at the "X-Mailer" header line in that spam:
| X-Mailer: Microsoft Outlook Express 6.00.2900.3028
Then look at PA Bear's link:
| 6.00.2800.1106 Internet Explorer 6 Service Pack 1 (Windows XP SP1)
| 6.00.2900.2180 Internet Explorer 6 for Windows XP SP2
| 6.00.3663.0000 Internet Explorer 6 for Windows Server 2003 RC1
I would judge that piece of spam to have a fraudulent "X-Mailer" header
line. However, it could be a forgery, if it matched the MSFT KB article,
*and* had other signs of forgery.
If you follow the SpamCom.net parse in the email message I linked, you will
see that SpamCop.net suspects the "Received" header line right below the one
stamped by my domain ('pacbell.net') gateway mail server
('flpi090.prodigy.net').
The email client which downloaded this email from
'mta108.sbc.mail.re3.yahoo.com' (my POP3 server; configured in the client
as, 'pop.att.yahoo.com') is the "Mercury Distributing POP3 Client", a
component of the "Mercury/32" MTA (a mail server application; roughly
similar to MS Exchange). It added some "X-Header" lines of its own:
| X-UC-Weight: [### ] 5123
| X-CC-Diagnostic: Header Authentication-Results contains "domainkeys=neutral" (5),
| Header "X-YahooFilteredBulk" Exists (50), Header "X-Header-Overseas" Exists (19),
| Header "X-Header-Overseas" Exists (0), RIPE (22), Bogon-10x,11x (28)
| X-Text-Classification: spam [Mercury/32 CC]
The diagnostic comments show which "X-Headers" were checked by the
Mercury/32 "Content Checker". Try and get MS Outlook Express to check
"X-Headers". Indeed, if I needed to use MSOE with Mercury/32, I'd have to
configure Mercury/32 to add a [***SPAM***] tag to the "Subject" line in
order to give MSOE somehing to filter on. The client I do use, Pegasus Mail
(a companion product to Mercury/32) *can* check the "X-Header" lines, and so
can filter email on the "X-Text-Classification: Spam [Mercury/32 CC]" header
line. The Mozilla clients, Eudora, and any other capable mail client can
also check against that header line.
I certainly could add a filter rule to check for "X-Mailer: Microsoft
Outlook Express 6.00.2900.3028", and shunt any email with that line to a
"Bulk" folder. But I will work up a rule which checks for legitimate MSFT
versions, instead. A rule which will skip the rule action on a match, but
execute the rule action on no match, instead. Assuming I find spam evading
the current filter set, but which has the wrong version information.
Note to PA Bear: Thanks for the version information link. I have bookmarked
it for reference.
--
Norman
~Shine, bright morning light,
~now in the air the spring is coming.
~Sweet, blowing wind,
~singing down the hills and valleys.