The easiest way to verify this stuff is to search Google for the whole X-Mailer string and look for legit messages from it. MIME-tools is also used legitimately. I think that one of these can have problems with BADHEADERS also, though that might be a configuration issue. If you want to see how often it is used to spam, search Google Groups for the X-Mailer in question along with "group:*abuse*" (without the quotes).
MIME-tools http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&scoring=d&q=%22X-Mailer%3A+MIME-tools%22&btnG=Google+Search http://groups.google.com/groups?hl=en&lr=&ie=ISO-8859-1&scoring=d&q=%22X-Mailer%3A+MIME-tools%22+group%3A*abuse*&btnG=Google+Search
MIME::Lite http://www.google.com/search?hl=en&lr=&ie=ISO-8859-1&scoring=d&q=%22X-Mailer%3A+MIME%3A%3ALite%22&btnG=Google+Search http://groups.google.com/groups?hl=en&lr=&ie=ISO-8859-1&scoring=d&q=%22X-Mailer%3A+MIME%3A%3ALite%22+group%3A*abuse*&btnG=Google+Search
Note that just one spammer using this X-Mailer, forged or legit, could wind up resulting in all the hits in Google Groups, so watch out for punishing those that use these legitimately on Web sites and the like.
Matt
Colbeck, Andrew wrote:
The header is inserted by a perl module of the same name. It was created for legitimate uses, and I've been weighting it for quite a while; I haven't found a reason to change this weighting yet, but YMMV:
HEADERS 9 CONTAINS X-Mailer: MIME-tools HEADERS 7 CONTAINS X-Mailer: MIME::Lite
I hold on 20.
Andrew 8)
-----Original Message-----
From: John Tolmachoff (Lists) [mailto:[EMAIL PROTECTED] Sent: Friday, January 02, 2004 11:08 AM
To: [EMAIL PROTECTED]
Subject: [Declude.JunkMail] Mailer type
Has any one seen this in the header of legit?
X-Mailer: MIME-tools 5.411 (Entity 5.404)
John Tolmachoff
Engineer/Consultant/Owner
eServices For You
--- [This E-mail was scanned for viruses by Declude Virus (http://www.declude.com)]
--- This E-mail came from the Declude.JunkMail mailing list. To unsubscribe, just send an E-mail to [EMAIL PROTECTED], and type "unsubscribe Declude.JunkMail". The archives can be found at http://www.mail-archive.com.
