The following Outlook Express version numbers in the X-Mailer header
line indicates that the e-mail is a spam - and can be discarded.

 6.00.3790.4682
 6.00.3790.2962
 6.00.3790.1106
 6.00.3790.181
 6.00.2900.2963
 6.00.2900.2969
 6.00.2800.2962
 6.00.2720.4682
 6.00.2600.4682
 6.00.2600.1409

3 new ones added today:

 6.00.2800.2963
 6.00.2720.1409
 6.00.3790.2963

At least one of these is a valid OE version.

That is OE6 for Win2K3Svr, Cumulative Update 823353.
http://www.microsoft.com/technet/security/bulletin/MS04-018.mspx. Users
of that product should expect that their mail will not be delivered to
whatever domains SG is "responsible" for.

Please establish for yourself whether to make filtering decisions based
on these strings; SG has no idea which of these X-Mailer versions
represent valid releases (or pre-releases) and which do not.

Of course, if you wish to shitcan incoming mail based simply on the
principle that it puports to come from OE, that is a different matter!

--
Jack.

Very good.  Now we're making progress.

6.00.3790.181   OE6 for Win2k3 RTMQFE and 64-bit 2k3 June 2004

So we're looking at a 4 year old version of OE (or the dll responsible
for generating the X-Mailer string, which is msoe.dll).

So what are the odds that my organization is going to receive an OE
e-mail from someone running Windows 2003 Server on their desktop or
laptop?  It's going to be nil.  Add to that, what are the odds that
someone running 2k3 server hasn't kept it updated and still has a
4-year-old version of OE and related files?

But I'll concede that 6.00.3790.181 is (or likely - was) a valid
version, and I will denote it as such in future posts.  It's still odd
that a spammer would choose to use such a "rare" version string.

Like you always say, *I* don't have to do anything just because you
ask for it.

My observations of certain characterist OE strings in spam does not
require that I prove any sort of personal credentials (I haven't seen
yours either).

What my observations do require is evidence that those strings are not
real or valid, and anyone can provide that evidence.

That's true.  

But in the absence of a complete list of actual OE versions, I've
satisfied myself that these numbers are suspect enough to be
trustworthy indicators of spam.

Just to complete this post, the link you provided lists the following
file version numbers:

6.00.2800.1437  (msoe.dll) XP, XP-sp1, 2K-sp3/4, NT4-sp6a,
XP-sp1-64bit
6.00.2800.1450
6.00.2741.2600  (msoe.dll) XP
6.00.2742.200
6.00.3790.181   (msoe.dll) Win2k3 RTMQFE and 64-bit 2k3 June 2004
5.50.4942.400   (msoe.dll) Win 2k sp3/sp4/me

I believe that it is the file version of msoe.dll that ends up being
shown on the X-Mailer line, so I would expect to see the first number
on this list in valid e-mail (6.00.2800.1437) but not necessarily the
second number (6.00.2800.1450) unless another microsoft document lists
a version of msoe.dll with that version too.