On Mon, 12 Jan 2004, Dr Andrew C Aitchison wrote:
> On Mon, 12 Jan 2004, Rory Campbell-Lange wrote:
>
[...]
> > Many of these spam senders have the following X-Mailer listed:
> > X-Mailer: mPOP Web-Mail 2.19
> >
> > Is this possible to generate an SMTP-time rejection of a message based
> > on its X-Mailer? Is this sensible?
>
> Looking through my archived mail folders, I have 16 messages from
> bugtraq@???
> with that signature. On a brief inspection these aren't spam.
> The other 95 messages I have with that signature have been marked
> as spam, either by spam-assassin or by me.
I'd agree with this assessment, and that of others, from my own
observations of this one over recent weeks (I have my mail client display
X-Mailer: headers by default). It seems that currently, this X-Mailer
header is fairly indicative of spam, but not exclusively so. Probably
adding some points in SpamAssassin is the way to go - it might help a bit.
Another way I check 'suspicious' X-Mailer: headers is to simply do a
google search on "X-Mailer: whatever". You'll often soon find if it is
likely to appear in a legit message, or of course if it has been discussed
before in spam-discussion environments.
I have other lists of X-Mailer headers that are definitely either bogus or
greatly suspicious/known spamware. I currently have Exim reject on seeing
these in the DATA acl; however there have been false positives from time
to time so I've commented one or two out of the list again when these have
been mentioned. I occasionally come across other lists - the one I use
(which probably came from a comment on this list originally) is probably
fairly conservative.
Jethro.
. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Jethro R Binks
Computing Officer, IT Services
University Of Strathclyde, Glasgow, UK