On Monday 11 October 2004 12:43 pm, Justin Mason wrote:
> Jeremy Rumpf writes:
> > I've seen a few messages recently that contained the header
> >
> > X-message-flag: Authentic Sender, Hash: PoHgCaAr
> >
> > My questions are, are they trying to simulate something like hash cash?
> > Does anyone know of a MUA that inserts/utilizes this header?
>
> I suspect it's targeted at a specific receiving site -- I have no
> idea which one though. (that's what X-Message-Info is apparently
> intended to do.)
>
> If that's the case it makes a killer spam-sign for people on any other
> ISP ;)
>
> Has anyone seen these headers? Perhaps AOL?
>
> --j.
>
> > I would like to insert a local rule to score on this similar to the
> > X_MESSAGE_INFO rule in 20_ratware.cf, but wanted to ask of others'
> > opinion first:
> >
> > header X_MESSAGE_INFO exists:X-Message-Info
> > describe X_MESSAGE_INFO Bulk email fingerprint (X-Message-Info)
> > found
> >
My thought was perhaps the token was being used to track any replies. I've dug
through my archive and found other text in that header as well:
From: "Maryellen" <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: ***SPAM*** FDA diet meds online
Date: Fri, 27 Aug 2004 14:48:53 -0800
MIME-Version: 1.0
Content-Type: multipart/related;
boundary="----=_NextPart_000_00TM_05X4847UF_02C.665I05X0"
X-Mailer: Microsoft Office Outlook, Build 11.0.6353
X-message-flag: Encrypted 128 bit message, authentic sender
Message-Id: <[EMAIL PROTECTED]>
And also some that's intended otherwise:
Date: Thu, 13 May 2004 10:59:33 +0200
From: Olivier Tharan <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: Issue with reject_unknown_client and CNAME Data as per RFC2317
Message-ID: <[EMAIL PROTECTED]>
Mail-Followup-To: [EMAIL PROTECTED]
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
Mime-Version: 1.0
Content-Type: text/plain; charset=us-ascii
Content-Disposition: inline
In-Reply-To: <[EMAIL PROTECTED]>
X-message-flag: Outlook: spreading viruses since 1997! http://www.rodos.net/
outlook/
X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.14; VAE: 6.25.0.3;
VDF: 6.25.0.61; host: russian-caravan.cloud9.net)
Sender: [EMAIL PROTECTED]
Precedence: bulk
Date: Wed, 5 May 2004 09:49:52 -0700 (PDT)
From: Rich Shepard <[EMAIL PROTECTED]>
To: [EMAIL PROTECTED]
Subject: Re: UCE regex: defining complete words only
In-Reply-To: <[EMAIL PROTECTED]>
Message-ID: <[EMAIL PROTECTED]>
References: <[EMAIL PROTECTED]>
<[EMAIL PROTECTED]>
X-message-flag: Sent virus-free from a linux system.
MIME-Version: 1.0
Content-Type: TEXT/PLAIN; charset=US-ASCII
X-AntiVirus: checked by Vexira MailArmor (version: 2.0.1.14; VAE: 6.25.0.3;
VDF: 6.25.0.48; host: ca
momile.cloud9.net)
Sender: [EMAIL PROTECTED]
Precedence: bulk
So the initial rule will concentrate on the syntax format instead of just
checking for the existence of the header:
X-message-flag: Authentic Sender, Hash: TrVfLjGp
Thanks,
Jeremy
