On Fri, 5 Apr 2002, Elwood Blues wrote:
> > if $header_X-Mailer: contains "Advanced Mass Sender" or
> > $header_X-Mailer: contains "Mail Bomber" or
...
> if $h_x-mailer matches "(diffondi|Prospect Mailer|Aureate Group Mail|\
> Microsoft Outlook Express 4.72.1712.3|CyberCreek Avalanche|\
...
> The Mozilla and Outlook Express rules are correct, they reference
> versions that were never released, and bulkmailers have been known
> to use those strings.
Yep. That's what I found through grepping through over ten thousand
emails (including over a thousand spams).
Sometimes I manually save spam for research. In this spam box with over
1300 spams:
45 X-Mailer: Microsoft Outlook Express 5.00.2919.6700
33 X-Mailer: Microsoft Outlook Express 4.72.1712.3
13 X-Mailer: diffondi V4,0,1,0 (W95/NT) (Build: Feb 20 2001)
12 X-Mailer: Microsoft Outlook Express 5.00.2615.200
9 X-Mailer: Mozilla 4.72 [en] (Win98; U)
8 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2910.0)
7 X-Mailer: QUALCOMM Windows Eudora Pro Version 4.1
6 X-Mailer: The Bat! (v1.49)
6 X-Mailer: Microsoft Outlook Express 5.50.4133.2400
5 X-Mailer: SMRmail -^_tiscon AG Infosystems
5 X-Mailer: Microsoft Outlook Express 5.50.4522.1200
I posted it all at
http://www.reedmedia.net/misc/mail/x-mailer-of-spams
I found that many x-mailers are just bogus/random text.
And I posted my current bad list (based on suggestions above) at
http://www.reedmedia.net/misc/mail/bad-x-mailer
It looks like I should add some more based on my other list.
Also, I am curious: what is more efficient -- doing one "if" check per
each or doing a long regex with many branches?
I combined them all in a regex and got:
Error in message_filter file: string is too long in line 407 of filter
file (max = 256 chars)
I guess it is easier to read when they are all listed one at a time.
Jeremy C. Reed
....................................................
BSD software, documentation, resources, news...
http://bsd.reedmedia.net/
