Most illegal junkmail senders (I would imagine), use proprietary applications to pour their swill down our throats.
Although many probably use the normal apps like Outlook, the die hard ones must use custom coded apps (and the people using them are not the programmers I bet).
Correct.
Like Outlook Express and Eudora, they should leave header information in the email about the client type, right? Or an I being naive?
Actually, the mail client information ("X-Mailer:") is optional. A good mail client will include it (showing both the program name and version) for help in tracking down problems (the marketing appeal of the header is a nice added benefit, too).
No good spamware adds a legitimate X-Mailer: header, however. They used to -- but people quickly caught on and started blocking mail with "X-Mailer: Spammer's Friend v1.00". Some spamware has no X-Mailer: header, some add a fake X-Mailer: header.
Is there a list (public) that properly represents junkmail client header "signatures"?
Not that I am aware of.
Going through about 2,000 recent spams that we recently received, 1,320 had X-Mailer: headers (about 66%).
Of those 1,320 that had X-Mailer: headers, 757 had "Outlook" in them somewhere. 79 had "Eudora". 79 had AOL. 73 had "Internet Mail Service". 40 had "The Bat". 29 had "Pegasus". That left about 400 (20% of the spam) that had other misc. X-Mailer: headers, some of which were from other mail clients, but none were obviously spamware (except for a few with random strings).
And leading into that statement, here is something I found in a recent junk email that lead me into that line of thought:
X-Library: Indy 10.00.14-B To: B8V81858 X-Mailer: Microsoft Outlook IMO, Build 9.0.2416
I am referring to the X-Library option. Is this legitimate? Or something that is filterable as junk?
I've never seen an X-Library header before. A Google search for "X-Library indy" shows that it is definitely used in spam, but could possibly be used by legitimate mail clients too.
Also, I see a lot of headers that indicate a "To:" or a destination email with no period and TLD indicator (like above).
Unfortunately, legitimate mail from mailing lists often does too ("To: undisclosed-recipients", for example).
-Scott
---
Declude JunkMail: The advanced anti-spam solution for IMail mailservers.
Declude Virus: Catches known viruses and is the leader in mailserver vulnerability detection.
Find out what you've been missing: Ask about our free 30-day evaluation.
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
