You are viewing a plain text version of this content. The canonical link for it is here.
Posted to users@spamassassin.apache.org by Justin Mason <jm...@jmason.org> on 2004/10/11 18:43:02 UTC

Re: X-message-flag question 

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


Jeremy Rumpf writes:
> I've seen a few messages recently that contained the header
> 
> X-message-flag: Authentic Sender, Hash: PoHgCaAr
> 
> My questions are, are they trying to simulate something like hash cash? Does 
> anyone know of a MUA that inserts/utilizes this header?

I suspect it's targeted at a specific receiving site -- I have no
idea which one though.   (that's what X-Message-Info is apparently
intended to do.)

If that's the case it makes a killer spam-sign for people on any other
ISP ;)

Has anyone seen these headers?  Perhaps AOL?

- --j.

> I would like to insert a local rule to score on this similar to the 
> X_MESSAGE_INFO rule in 20_ratware.cf, but wanted to ask of others' opinion 
> first:
> 
> header X_MESSAGE_INFO           exists:X-Message-Info
> describe X_MESSAGE_INFO         Bulk email fingerprint (X-Message-Info) found
> 
> --------------- examples -------------------
> 
> Subject: ***SPAM*** Call me
> Date: Tue, 12 Oct 2004 03:11:44 -0500
> MIME-Version: 1.0
> Content-Type: multipart/related;
>   boundary="----=_NextPart_000_00NX_00B9614KA_04C.008C38K0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
> X-message-flag: Authentic Sender, Hash: TrVfLjGp
> Message-Id: <20...@smtp-in.foobar.com>
> 
> Subject: ***SPAM*** Your test results
> Date: Tue, 12 Oct 2004 11:58:41 -0500
> MIME-Version: 1.0
> Content-Type: multipart/related;
>         boundary="----=_NextPart_000_00KS_01G0282KJ_04E.864L81I0"
> X-Mailer: Microsoft Office Outlook, Build 11.0.6353
> X-message-flag: Authentic Sender, Hash: PoHgCaAr
> Message-Id: <20...@smtp-in.foobar.com>
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFBargWMJF5cimLx9ARAvJsAJ4/XPgeBjE7duy/LZAEFHMGUopGsACfTDwQ
lYyIC8SVXSVI7Hl9PCSZWn4=
=W+Y9
-----END PGP SIGNATURE-----

Re: X-message-flag question

Posted by Loren Wilton <lw...@earthlink.net>.
> So the initial rule will concentrate on the syntax format instead of just 
> checking for the existence of the header:
> 
> X-message-flag: Authentic Sender, Hash: TrVfLjGp

This one appears to me to be bogus as well, it comes from the same guy:

> X-message-flag: Encrypted 128 bit message, authentic sender

        Loren

Re: X-message-flag question

Posted by Jeremy Rumpf <jr...@heavyload.net>.
On Monday 11 October 2004 12:43 pm, Justin Mason wrote:
> Jeremy Rumpf writes:
> > I've seen a few messages recently that contained the header
> >
> > X-message-flag: Authentic Sender, Hash: PoHgCaAr
> >
> > My questions are, are they trying to simulate something like hash cash?
> > Does anyone know of a MUA that inserts/utilizes this header?
>
> I suspect it's targeted at a specific receiving site -- I have no
> idea which one though.   (that's what X-Message-Info is apparently
> intended to do.)
>
> If that's the case it makes a killer spam-sign for people on any other
> ISP ;)
>
> Has anyone seen these headers?  Perhaps AOL?
>
> --j.
>
> > I would like to insert a local rule to score on this similar to the
> > X_MESSAGE_INFO rule in 20_ratware.cf, but wanted to ask of others'
> > opinion first:
> >
> > header X_MESSAGE_INFO           exists:X-Message-Info
> > describe X_MESSAGE_INFO         Bulk email fingerprint (X-Message-Info)
> > found
> >


My thought was perhaps the token was being used to track any replies. I've dug 
through my archive and found other text in that header as well:

From: "Maryellen" <ii...@yahoo.com>
To: jrumpf@heavyload.net
Subject: ***SPAM*** FDA diet meds online
Date: Fri, 27 Aug 2004 14:48:53 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
        boundary="----=_NextPart_000_00TM_05X4847UF_02C.665I05X0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-message-flag: Encrypted 128 bit message, authentic sender
Message-Id: <20...@smtp-in.foobar.com>


And also some that's intended otherwise:

Date: Thu, 13 May 2004 10:59:33 +0200
From: Olivier Tharan <ol...@pasteur.fr>
To: postfix-users@postfix.org
Subject: Re: Issue with reject_unknown_client and CNAME Data as per RFC2317
Message-ID: <20...@mafate.sis.pasteur.fr>
Mail-Followup-To: postfix-users@postfix.org
References: <20...@spike.porcupine.org> 
<20...@spike.porcupine.org> 
<20...@charite.de>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <20...@charite.de>
X-message-flag: Outlook: spreading viruses since 1997! http://www.rodos.net/
outlook/
X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.14; VAE: 6.25.0.3; 
VDF: 6.25.0.61; host: russian-caravan.cloud9.net)
Sender: owner-postfix-users@postfix.org
Precedence: bulk



Date: Wed, 5 May 2004 09:49:52 -0700 (PDT)
From: Rich Shepard <rs...@appl-ecosys.com>
To: postfix-users@postfix.org
Subject: Re: UCE regex: defining complete words only
In-Reply-To: <6....@mailgate.vbhcs.org>
Message-ID: <Pi...@salmo.appl-ecosys.com>
References: <Pi...@salmo.appl-ecosys.com>
 <6....@mailgate.vbhcs.org>
X-message-flag: Sent virus-free from a linux system.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.14; VAE: 6.25.0.3; 
VDF: 6.25.0.48; host: ca
momile.cloud9.net)
Sender: owner-postfix-users@postfix.org
Precedence: bulk


So the initial rule will concentrate on the syntax format instead of just 
checking for the existence of the header:

X-message-flag: Authentic Sender, Hash: TrVfLjGp

Thanks,
Jeremy

Re: X-message-flag question

Posted by Loren Wilton <lw...@earthlink.net>.
BTW, all of these *claim* to be from

X-Mailer: Microsoft Office Outlook, Build 11.0.6353

However, they also happen to all be from a particular spammer in Brasil, and
most of them also claim to have been scanned by SA 2.60 and got a score
of -5.1.  So I don't know that I necessarily believe the X-Mailer info.

        Loren

Re: X-message-flag question

Posted by Loren Wilton <lw...@earthlink.net>.
>
> Has anyone seen these headers?  Perhaps AOL?
>

\\It\wilton\train\TestSpam(6797):X-message-flag: Authentic Sender, Hash:
RdDyHlGm
\\It\wilton\train\TestSpam(11091):X-message-flag: Authentic Sender, Hash:
VuIkTsDi
\\It\wilton\train\TestSpam(18445):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(101):X-message-flag: Authentic Sender, Hash:
VoAoGdHl
\\It\wilton\train\old spam(1065):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(1864):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(4141):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(5745):X-message-flag: Authentic Sender, Hash:
FhEgEmCl
\\It\wilton\train\old spam(6223):X-message-flag: Authentic Sender, Hash:
UsSrTwVk
\\It\wilton\train\old spam(8430):X-message-flag: Authentic Sender, Hash:
W7RxMyLu
\\It\wilton\train\old spam(8957):X-message-flag: Authentic Sender, Hash:
WkEyQtVa
\\It\wilton\train\old spam(9310):X-message-flag: Authentic Sender, Hash:
EzOmPzOv
\\It\wilton\train\old spam(9807):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(24446):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(33738):X-message-flag: Authentic Sender, Hash:
BzNkGyDk
\\It\wilton\train\old spam(43099):X-message-flag: Encrypted 128 bit message,
authentic sender
\\It\wilton\train\old spam(43793):X-message-flag: Authentic Sender, Hash:
LpRdThNg
\\It\wilton\train\old spam(44690):X-message-flag: Authentic Sender, Hash:
EjPfAkKc
\\It\wilton\train\old spam(47667):X-message-flag: Authentic Sender, Hash:
AcTlFjAq
\\It\wilton\train\old spam(47904):X-message-flag: Authentic Sender, Hash:
WlLcUcIj
\\It\wilton\train\old spam(70813):X-message-flag: Authentic Sender, Hash:
CsRxZlKq
\\It\wilton\train\old spam(73097):X-message-flag: Authentic Sender, Hash:
ZvWdHkKz
\\It\wilton\train\old spam(76577):X-message-flag: Authentic Sender, Hash:
WsGpSfOy
\\It\wilton\train\old spam(85175):X-message-flag: Authentic Sender, Hash:
TuUkDdAh
\\It\wilton\train\old spam(120260):X-message-flag: Encrypted 128 bit
message, authentic sender
\\It\wilton\train\old spam(153943):X-message-flag: Authentic Sender, Hash:
CyCoDbFs
\\It\wilton\train\old spam(161587):X-message-flag: Authentic Sender, Hash:
TrImMvCf
\\It\wilton\train\old spam(164456):X-message-flag: Authentic Sender, Hash:
XjKwKzBh
\\It\wilton\train\old spam(166558):X-message-flag: Authentic Sender, Hash:
CsEiDjBy
\\It\wilton\train\old spam(170552):X-message-flag: Authentic Sender, Hash:
WqDqUsLk
\\It\wilton\train\old spam(210712):X-message-flag: Authentic Sender, Hash:
XuCsCtVs
\\It\wilton\train\old spam(257365):X-message-flag: Authentic Sender, Hash:
YlDvLbRe
\\It\wilton\train\old spam(304855):X-message-flag: Authentic Sender, Hash:
SoBqSbGk
33 occurrence(s) have been found.

All in spam, none in ham.  Curious.  I wonder what that could mean?  :-)

        Loren