An analysis of the X- headers in my spam

An analysis of the x-headers in spam mails

An analysis of the X- headers in my spam

Introduction

RFC 822 allows people to define and use additional header fields in their emails. These fields start with X- in their names. For example, X-Quarantine-ID or X-Spam-Score. Usually these headers are not too interesting. I wanted to see if the spammers use any custom fields in the spam messages that they send out.

Analysing spam

I took a spam message and checked its X- headers. The following are the X-headers that I think can be ignored

  • X-MimeOLE
  • X-Spam-Status (added by spamassassin)
  • X-Account-Key, X-Mozilla-Status2 and X-Mozilla-Status are added by Thunderbird
  • X-Mailer
  • X-Original-To
  • X-Quarantine-ID

Any headers outside of the above list promises to be interesting.

Summary: X-headers in my spam

I ran a script on my spam mbox file (i.e. mails that have been marked as spam by spamassassin) to see what I can dig up. The following X-headers look interesting, because they occur so few times. (caveat: I don't think I have enough spam)

X-DSNContext
This seems to be header set by MS Exchange
X-AntiVirus: Checked,
This seems to be header set be spammers to confuse the mail filter
X-ME-UUID
Looks like header set by some mail server
X-Source, X-Source-Args, X-Source-Dir, X-Spam
These are headers set by phplist
X-Failed-Recipients
This is a header generated by exim when it handles mailing lists. Looks like some spammer has a mailing list with all his targeted email ids in it.

Summary: X-headers in non-spam email

I ran my script on a mbox which had emails from one of the mailing lists I am on. Some interesting headers

X-AOL-IP
Self explanatory
X-BigFish
Ummm —- no clue
X-Disclaimer
Hehe
X-Ninja-AttachmentFiltering, X-Ninja-PIM
Seems like a rarely used mail client

Script used in analysing the headers

This is a Perl script that uses regular expression to find the interesting X-headers. You can get the script from here. The interesting parts are explained below.

The isinterestingheader function filters out non interesting headers.

sub isinterestingheader($)
  {
    my $header = shift;
    my @ignore_x_headers = qw/Original-To Spam-Status Mozilla-.*  Quarantine-ID Virus-Scanned
			     Spam-Score Spam-Level Spam-Flag Amavis-.* Mailer Priority Account-Key
			     Priority /;
    my $regex_ignore_x_headers = join( "|", @ignore_x_headers );

    unless ( $header =~ /X-($regex_ignore_x_headers)/i) {
      #print "[$header]  is interesting and matched $1\n";
      return 1;
    }
    return 0;

  }

If you want to ignore/unignore any particular X-headers, you can add/remove it to the @ignore_x_headers variable.

The loop below is the main workhorse. It iterates over the mbox file and if it finds a X-header, it extracts that, checks if the header is interesting and if the header is interesting, stuffs it into the %xheaders hash.

while (<INFILE>) {
    my $mline = $_;

    if ( $mline =~ /(^X-.*).*:\s(.+)/ ) {
      if (isinterestingheader($1)){
	countthisheader($1,$2);

      }
    }
  }

Raw data

Spam

Result of running the script on my spam folder (2704 mails). Another note - UIDL is Unique IDentification Listing, hence the number X-UIDL in the results below gives a count of the number of emails in the mbox file.

Header Count sample value (comma seperated list)
X-Accept-Language 22 -
X-AntiAbuse 15 -
X-AntiVirus: Checked 1 29.02.2004]
X-AntiVirus: Checked 1 23.00.2006]
X-AntiVirus: Checked 1 21.10.2007]
X-Antivirus 87 -
X-Antivirus-Status 87 -
X-Authenticated 1 #08894883
X-BeenThere 3 This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , denmark@vendome-corn
X-DSNContext 1 335a7efd - 4523 - 00000001 - 80040546
X-Eagle-Notice: Send 1 [news #38922] Your doctor\222s advice
X-ME-UUID 2 This email address is being protected from spambots. You need JavaScript enabled to view it. , 20071018140851841.CD4
X-MIMEOLE 32 -
X-MSMail-Priority 1817 -
X-Mailman-Version 3 2.1.9, 2.1.9, 2.1.9
X-MimeOLE 1939 -
X-OriginalArrivalTim 3 Thu, 13 Sep 2007 05:59:30 -0600, 07 Nov 2007 00:30:21.0042 (UTC) FILETIME=[612B7
X-Originating-Email 1 [rThis email address is being protected from spambots. You need JavaScript enabled to view it. ]
X-Originating-IP 30 -
X-Originating-Server 2 chilean.ebaystatic.com (labshost.com.moebelheinrich.de [110.96.122.184]), chilea
X-SMTP-Server-Queue- 1 782D21C00887
X-SMTP-Server-Sender 1 rfc822; This email address is being protected from spambots. You need JavaScript enabled to view it.
X-Scanned-By 1 Digested by UGA Mail Gateway on 128.192.1.75
X-Sender 41 -
X-Source 1 /usr/local/cpanel/3rdparty/bin/php
X-Source-Args 2 /usr/local/cpanel/3rdparty/bin/php /usr/local/cpanel/base/3rdparty/squirrelmail/
X-Source-Dir 2 :/base/3rdparty/squirrelmail/src, agitatudo.com:/public_html/site/components/com
X-Spam 1 Not detected
X-UIDL 2704 -
X-USER_IP 1 74.0.178.152
X-Version 5 2.0.2, 2.0.2, 2.0.2, 2.0.2, 2.0.2
X-Warning 2 yahoo.it is listed at postmaster.rfc-ignorant.org, yahoo.it is listed at abuse.r
X-Yahoo-Calendar-Iid 1 IxA1ic3%40o23I%40bQzFhIPy%40dabUuc%40KhH
X-Yahoo-Newman-Id 1 tinaakimrs36#ib-1191688048-tinaakimrs36#ib:6
X-Yahoo-Newman-Prope 1 calendar-invite
X-me-spamlevel 1 med
X-me-spamrating 1 77.426110
X-remove 1 66958

I ran the script on the mbox file that had been marked as spam by Thunderbird (979 mail). The results are

Header Count sample value (comma seperated list)
X-Accept-Language 1 en-us
X-AntiAbuse 5 This header was added to track abuse, please include it with any abuse report, P
X-AntiVirus: Checked 1 21.10.2007]
X-Antivirus 43 -
X-Antivirus-Status 43 -
X-DSNContext 1 335a7efd - 4446 - 00000001 - 80040546
X-ELNK-Trace 1 cfd75b53fdaf59ca3366623b7f6a8e4a89e6754a908ffd693db58eff436b9b054f89210dab4adbbb
X-Eagle-Notice: Send 1 [news #38922] Your doctor\222s advice
X-Failed-Recipients 1 This email address is being protected from spambots. You need JavaScript enabled to view it.
X-MIMEOLE 18 -
X-MSMail-Priority 713 -
X-MimeOLE 734 -
X-OriginalArrivalTim 4 29 Oct 2007 08:27:42.0578 (UTC) FILETIME=[93234520:01C81A05], 03 Nov 2007 06:20:
X-Originating-Email 2 [rThis email address is being protected from spambots. You need JavaScript enabled to view it. ] , [sThis email address is being protected from spambots. You need JavaScript enabled to view it. ]
X-Originating-IP 4 209.86.224.50, [79.210.6.45] , [122.161.25.59], [193.220.212.16]
X-Originating-Server 1 [12.114.117.239] (HELO milftape.com)
X-Sender 1 This email address is being protected from spambots. You need JavaScript enabled to view it.
X-UIDL 979 -

Non Spam

Header Count sample value (comma seperated list)
X-AOL-IP 14 -
X-Accept-Language 5 en-us, en, ja, en-us, en, ja, en-us, en, en-us, en, en-us, en, ja
X-AntiAbuse 10 -
X-Authenticated 1 #15864248
X-Authenticated-Send 1 This email address is being protected from spambots. You need JavaScript enabled to view it.
X-BeenThere 756 -
X-BigFish 3 V, V, V
X-Brightmail-Tracker 24 -
X-Brightmail-scanned 24 -
X-Disclaimer 1 Added
X-ELNK-Trace 95 -
X-EN-AuthUser 4 This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it.
X-EN-UserInfo 4 5af75cd46c1ca8979d7582ce798d9964:1d2a11e68e3a5cb29e3c548bab12dcb9, 5af75cd46c1ca
X-Enigmail-Version 97 -
X-Env-Sender 29 -
X-Flow-Control 1 Sendmail Flow Controller v1.6.3 bemtal03.swift.com
X-Google-Sender-Auth 11 -
X-IronPort-AV 10 -
X-IronPort-Anti-Spam 4 true, true, true, true
X-IronPort-Anti-Spam 4 Ah4FAP4Mg0aWZZpy/2dsb2JhbACBT4EY, Ao8CAA+3m0aWZZpx/2dsb2JhbACBSYEY, AgAAALLv+kaW
X-MB-Message-Source 14 -
X-MB-Message-Type 14 -
X-MDRemoteIP 1 192.168.101.13
X-MIME-Warning 3 Serious MIME defect detected (), Serious MIME defect detected (), Serious MIME d
X-MIMEOLE 22 -
X-MIMETrack 5 Serialize by Router on DOMMEL01/AU/MYOB(Release, Serialize by Router on ghdom_ap
X-MS-Has-Attach 3 yes, yes, yes
X-MSMail-Priority 108 -
X-Mailman-Approved-A 4 Tue, 17 Oct 2006 14:51:47 -0700, Mon, 13 Nov 2006 13:41:57 -0800, Mon, 13 Nov 20
X-Mailman-Version 756 -
X-MimeOLE 252 -
X-Msg-Ref 29 -
X-NAIMIME-Disclaimer 6 1, 1, 1, 1, 1, 1
X-NAIMIME-Modified 6 1, 1, 1, 1, 1, 1
X-Ninja-AttachmentFi 1 (no action)
X-Ninja-PIM 1 Scanned by Ninja
X-Nokia-AV 13 -
X-OriginalArrivalTim 105 -
X-Originating-Email 9 [cThis email address is being protected from spambots. You need JavaScript enabled to view it. ], [rThis email address is being protected from spambots. You need JavaScript enabled to view it. ], [rThis email address is being protected from spambots. You need JavaScript enabled to view it. ], [rmcilree
X-Originating-IP 142 -
X-Proofpoint-Spam-De 1 rule=notspam policy=default score=0 spamscore=0
X-Proofpoint-Virus-V 1 vendor=fsecure engine=4.65.5446:2.3.11, 1.2.37,
X-Provags-ID 1 V01U2FsdGVkX1+D+zVCqUODw33xCMTOmmtG9xwhGTZTbjCAY9UNoU
X-Provags-ID2 1 V01U2FsdGVkX18ARz/emDKd0zOFIeqrkoNaQg3vKbE987xNH1i
X-Return-Path 1 This email address is being protected from spambots. You need JavaScript enabled to view it.
X-Scan-Signature 3 59fbbbeddf57f03b6f4e4ac3778d6a97, 95f51ce3d4c4e0f1e1d6f3eecbbcfce0, 95f51ce3d4c4
X-Scanner 1 InterScan AntiVirus for Sendmail
X-Sender 9 This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , rmcilree@hotmai
X-Sender-IP 1 128.143.197.234
X-Spam-Processed 1 aktivsystems.ru, Mon, 28 May 2007 16:46:53 +0400
X-StarScan-Version 29 -
X-TM-AS-Product-Ver 42 -
X-TM-AS-Result 42 -
X-Tiga.PelayanWeb.co 2 Found to be clean, Found to be clean
X-Tiga.PelayanWeb.co 2 This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it.
X-Tiga.PelayanWeb.co 2 Please contact the ISP for more, Please contact the ISP for more
X-UIDL 756 -
X-URL 2 http://mail2web.com/, http://mail2web.com/
X-UVA-Virus-Scanned 3 by amavisd-new at fork2.mail.virginia.edu, by amavisd-new at fork6.mail.virginia
X-UVa-Vac-OK 1 1
X-Virus-Status 35 -
X-VirusChecked 29 -
X-VisionSystems-Mail 7 Found to be clean, Found to be clean, Found to be clean, Found to be clean, Foun
X-VisionSystems-Mail 7 This email address is being protected from spambots. You need JavaScript enabled to view it. , This email address is being protected from spambots. You need JavaScript enabled to view it. , david.growse@vision-fs.c
X-WiganSS 1 0100000001001Fwhexchmb03.bsna.bsroot.bear.com
X-Y-GMX-Trusted 1 0
X-YMail-OSG 4 IDs9bdsVM1lXZWLQ70iCLuQtkVuem5I9pruupVhilWv27I1aV34UeauN0WeYW.SZt4b8nZGDwkxfOP9R
X-bsdisclaimer 1 standard
X-eXpurgate-Category 3 1/0, 1/0, 1/0
X-eXpurgate-ID 3 149371::070228103941-0F893BB0-01554729/0-0/0-1, 149371::070311184930-3F13DBB0-4A
X-imss-approveListMa 2 @optus.com.au, @optus.com.au
X-imss-result 2 Passed, Passed
X-imss-version 2 2.047, 2.047

Additional information