X-WUM Header Question

[Rick Mallett <rm...@ccs.carleton.ca>]

I've noticed that a lot of the lottery spam and nigerian scam messages
that slip by SA (3.1.9) unscathed (i.e. score < 5) at my site contain
the following headers

   X-Wum-Nature: EMAIL-NATURE
   X-WUM-FROM: |~|
   X-WUM-CCI:
    |~||~||~||~||~||~||~||~||~||~||~||~||~||
   X-WUM-REPLYTO: |~|

and I'd like to add some local rules to detect those headers and 
add a couple of points, but I don't want to do that if there is a good
chance it will increase FP's.

Does anyone know which mail client or server adds the "X-WUM" headers
and how likely it is that they are found in legitimate mail.

I'll be upgrading to 3.2.3 soon, but it isn't a solution for the time
being.

- rick

Re: X-WUM Header Question

[Matt Kettler <mk...@verizon.net>]

Rick Mallett wrote:
> I've noticed that a lot of the lottery spam and nigerian scam messages
> that slip by SA (3.1.9) unscathed (i.e. score < 5) at my site contain
> the following headers
>
>   X-Wum-Nature: EMAIL-NATURE
>   X-WUM-FROM: |~|
>   X-WUM-CCI:
>    |~||~||~||~||~||~||~||~||~||~||~||~||~||
>   X-WUM-REPLYTO: |~|
>
> and I'd like to add some local rules to detect those headers and add a
> couple of points, but I don't want to do that if there is a good
> chance it will increase FP's.
>
> Does anyone know which mail client or server adds the "X-WUM" headers
> and how likely it is that they are found in legitimate mail.
>

Searching on the web it looks like something inserted by servers at
Wanadoo/freeserve.com/orange.co.uk (same company, different names) into
every message they handle.

Were all of the messages transfered through one of those sites?
Wanadoo/etc is a popular broadband end-user ISP in the UK and France.
Being an end user domain, has lots of legitamate users, and infected
bots. Same as most other big-market end-user ISPs.