Google Groups no longer supports new Usenet posts or subscriptions. Historical content remains viewable.
Dismiss

X-Message-Info header : spam or not ?

411 views
Skip to first unread message

John Nerim

unread,
Sep 11, 2004, 4:11:08 PM9/11/04
to
Hi,

I was reading my spam and noticed that a lot of them have
a X-Message-Info header. Is it legit, or added by some spamware ?

Thanks for your answers.

--
John Nerim <jo...@nerim.net>

NormanM

unread,
Sep 12, 2004, 3:33:47 AM9/12/04
to
In article <slrnck6m5o....@choam.unix.efrei.fr>, John Nerim says...

> I was reading my spam and noticed that a lot of them have
> a X-Message-Info header. Is it legit, or added by some spamware ?

Both. I see that header in legitimate messages in my Hotmail account.
Apparently it is some kind of hash added by the MSN mail system. I don't
have an MSN Internet Access account to test this, but email from MSN users
have some of the same identifiers as Hotmail in the message headers; so it
is reasonable to think that MSN adds this header in their incoming email.
The key is, this is internal to the MSN mail systems, and would only be seen
in incoming email to hotmail.com and msn.com accounts (and any other MSN
email accounts in the various other national TLDs that MSN maintains).

I have also seen spammers add it to their spam; possibly as a way of
deflecting complaints onto MSN. I have never seen this header in legitimate
email except for that received at Hotmail, though, so I am reasonably
confident in using that as a filter key for spam.

One other thing you must keep in mind: X-Headers are not standardized,
except in the general form that they should take. They can mean anything,
and are often designed to be used internally by the mail handlers of the
system which is generating them. It is entirely possible that some other
mail service is using X-Message-Info in legitimate email, so block on that
header at your own risk.

--
Norman
~Win dain a lotica, En vai tu ri, Si lo ta
~Fin dein a loluca, En dragu a sei lain
~Vi fa-ru les shutai am, En riga-lint

Jorgen Grahn

unread,
Sep 12, 2004, 10:41:26 AM9/12/04
to
On Sun, 12 Sep 2004 07:33:47 GMT, NormanM <spam...@blackhole.invalid> wrote:
> In article <slrnck6m5o....@choam.unix.efrei.fr>, John Nerim says...
>
>> I was reading my spam and noticed that a lot of them have
>> a X-Message-Info header. Is it legit, or added by some spamware ?
>
> Both. I see that header in legitimate messages in my Hotmail account.
...

> The key is, this is internal to the MSN mail systems, and would only be seen
> in incoming email to hotmail.com and msn.com accounts (and any other MSN
> email accounts in the various other national TLDs that MSN maintains).
>
> I have also seen spammers add it to their spam; possibly as a way of
> deflecting complaints onto MSN. I have never seen this header in legitimate
> email except for that received at Hotmail, though, so I am reasonably
> confident in using that as a filter key for spam.

Confirmed on my system. I have no mailboxes at MSN or Hotmail, but I
have 98 messages with X-Message-Info headers. All of them are spam.

/Jorgen

--
// Jorgen Grahn <jgrahn@ Ph'nglui mglw'nafh Cthulhu
\X/ algonet.se> R'lyeh wgah'nagl fhtagn!

those who know me have no need of my name

unread,
Sep 12, 2004, 11:42:22 AM9/12/04
to
in comp.mail.headers i read:

>The key is, this is internal to the MSN mail systems, and would only be seen
>in incoming email to hotmail.com and msn.com accounts (and any other MSN
>email accounts in the various other national TLDs that MSN maintains).

or messages resent by members of same.

--
a signature

NormanM

unread,
Sep 16, 2004, 12:13:59 AM9/16/04
to
In article <m1brgb8...@usa.net>, those who know me have no need of my
name says...

> in comp.mail.headers i read:

Which will only happen if the sender has his Hotmail account set to display
full headers; and even then, it will not show up in the headers of the
resent message.

I filter for "X-Message-Info:" in the headers, only; I do not filter for "X-
Message-Info:" in the body of the message.

those who know me have no need of my name

unread,
Sep 19, 2004, 12:18:24 AM9/19/04
to
in comp.mail.headers i read:

>In article <m1brgb8...@usa.net>, those who know me have no need of my
>name says...
>> in comp.mail.headers i read:

>>>The key is, this is internal to the MSN mail systems, and would only be
>>>seen in incoming email to hotmail.com and msn.com accounts (and any
>>>other MSN email accounts in the various other national TLDs that MSN
>>>maintains).

>> or messages resent by members of same.

>Which will only happen if the sender has his Hotmail account set to display
>full headers; and even then, it will not show up in the headers of the
>resent message.

you are presuming the use of the web interface. this is not the only way
in which hotmail or msn may be accessed.

--
a signature

NormanM

unread,
Sep 19, 2004, 1:48:27 AM9/19/04
to
In article <m1llf62...@usa.net>, those who know me have no need of my
name says...

> you are presuming the use of the web interface...

Not quite...

> ...this is not the only way in which hotmail or msn may be accessed.

You are, of course, correct. The only other way that I know of to access MSN
and Hotmail accounts is to use a mail client which understands the HTTPMail
protocol. The only clients that I know of which can do that are MS Outlook
Express, and MS Outlook. Here are some headers to peruse:

As sitting in the local image of the synchronized Hotmail account when
viewed using MSOE6:

vvvvvvvvvvvvvvv
> X-Message-Info: JGTYoYF78jHSOP13zcIHdT14ANm+tB7M
^^^^^^^^^^^^^^^
> Received: from smtpauth2-ext.prodigy.net ([207.115.63.116]) by mc5-f27.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824);
> Mon, 2 Aug 2004 20:47:00 -0700
> Received: from aosake.net (adsl-66-125-88-199.dsl.sntc01.pacbell.net [66.125.88.199])
> (authenticated bits=0)
> by smtpauth2-ext.prodigy.net (8.12.10 auth mps/8.12.10) with ESMTP id i733jfHx421696
> for <..Ç..@hotmail.com>; Mon, 2 Aug 2004 23:45:43 -0400
> Received: from Spooler by aosake.net (Mercury/32 v4.01a) ID MO000031;
> 2 Aug 2004 20:45:34 -0700
> Received: from spooler by aosake.net (Mercury/32 v4.01a); 2 Aug 2004 20:45:13 -0700
> From: "..Ç.." <..Ç..@aosake.net>
> Organization: ..Ç..
> To: ..Ç..@hotmail.com
> Date: Mon, 02 Aug 2004 20:44:54 -0700
> MIME-Version: 1.0
> Subject: Test.
> Priority: normal
> X-Sender: ..Ç..
> X-mailer: Pegasus Mail for Windows (4.21c)
> Content-type: text/plain; charset=US-ASCII
> Content-transfer-encoding: 7BIT
> Content-description: Mail message body
> X-AC-Weight: [####] (Whitelisted) -9999
> X-CC-Diagnostic:
> Message-ID: <27855...@aosake.net>
> Return-Path: ..Ç..@aosake.net
> X-OriginalArrivalTime: 03 Aug 2004 03:47:01.0059 (UTC) FILETIME=[888AE930:01C4790C]

Oddly, when the same message is viewed in the browser, the headers are
rearranged:

> MIME-Version: 1.0
> X-Sender: ..Ç..
> Received: from smtpauth2-ext.prodigy.net ([207.115.63.116]) by mc5-f27.hotmail.com with Microsoft SMTPSVC(5.0.2195.6824); Mon, 2 Aug 2004 20:47:00 -0700
> Received: from aosake.net (adsl-66-125-88-199.dsl.sntc01.pacbell.net [66.125.88.199])(authenticated bits=0)by smtpauth2-ext.prodigy.net (8.12.10 auth mps/8.12.10) with ESMTP id i733jfHx421696for <s0n0...@hotmail.com>; Mon, 2 Aug 2004 23:45:43 -0400
> Received: from Spooler by aosake.net (Mercury/32 v4.01a) ID MO000031; 2 Aug 2004 20:45:34 -0700
> Received: from spooler by aosake.net (Mercury/32 v4.01a); 2 Aug 2004 20:45:13 -0700
vvvvvvvvvvvvvvv
> X-Message-Info: JGTYoYF78jHSOP13zcIHdT14ANm+tB7M
^^^^^^^^^^^^^^^
> Organization: ..Ç..
> Priority: normal
> X-mailer: Pegasus Mail for Windows (4.21c)
> X-AC-Weight: [####] (Whitelisted) -9999
> X-CC-Diagnostic:
> Message-ID: <27855...@aosake.net>
> Return-Path: ..Ç..@aosake.net
> X-OriginalArrivalTime: 03 Aug 2004 03:47:01.0059 (UTC) FILETIME=[888AE930:01C4790C]

After forwarding the message above, using the browser, and the "Forward:"
option:

> Return-path: <..Ç..@hotmail.com>
> Received: from hotmail.com (64.4.16.74) by aosake.net (Mercury/32 v4.01a) with ESMTP ID MG000001;
> 16 Sep 2004 11:11:07 -0700
> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
> Thu, 16 Sep 2004 00:15:33 -0700
> Received: from 64.161.30.112 by by22fd.bay22.hotmail.msn.com with HTTP;
> Thu, 16 Sep 2004 03:59:37 GMT
> X-Originating-IP: [64.161.30.112]
> X-Originating-Email: [..Ç..@hotmail.com]
> X-Sender: ..Ç..@hotmail.com
> From: "..Ç.." <..Ç..@hotmail.com>
> To: ..Ç..@aosake.net
> Bcc:
> Subject: FW: Test.
> Date: Thu, 16 Sep 2004 03:59:37 +0000
> Mime-Version: 1.0
> Content-Type: text/plain; format=flowed
> Message-ID: <BAY22-F24B7nw...@hotmail.com>
> X-OriginalArrivalTime: 16 Sep 2004 07:15:33.0313 (UTC) FILETIME=[F49A5B10:01C49BBC]
> AC-Weight: [####] (Whitelisted) -9999
> CC-Diagnostic: Body contains "This is just a test" (-9999)

As forwarded using MSOE with the "Forward" option:

> Return-path: <..Ç..@hotmail.com>
> Received: from hotmail.com (64.4.16.197) by aosake.net (Mercury/32 v4.01a) with ESMTP ID MG000030;
> 15 Sep 2004 21:14:05 -0700
> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
> Wed, 15 Sep 2004 20:55:02 -0700
> Received: from 64.161.30.112 by bay22-dav17.bay22.hotmail.com with DAV;
> Thu, 16 Sep 2004 03:55:02 +0000
> X-Originating-IP: [64.161.30.112]
> X-Originating-Email: [..Ç..@hotmail.com]
> X-Sender: ..Ç..@hotmail.com
> From: "..Ç.." <..Ç..@hotmail.com>
> To: <..Ç..@aosake.net>
> Subject: Fw: Test.
> Date: Wed, 15 Sep 2004 20:53:18 -0700
> Organization: ..Ç..
> MIME-Version: 1.0
> Content-Type: text/plain;
> charset="iso-8859-1"
> Content-Transfer-Encoding: 7bit
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1437
> Disposition-Notification-To: "Samuel Leghorn" <s0n0...@hotmail.com>
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> Message-ID: <BAY22-DAV17yl...@hotmail.com>
> X-OriginalArrivalTime: 16 Sep 2004 03:55:02.0489 (UTC) FILETIME=[F1AC4C90:01C49BA0]
> X-AC-Weight: [####] (Whitelisted) -9999
> X-CC-Diagnostic: Body contains "This is just a test" (-9999)
> X-PMFLAGS: 34078720 0 1 6B237BDF.CNM

Finally, as forwarded with MSOE using the "Forward As Attachment" option:

> Return-path: <..Ç..@hotmail.com>
> Received: from hotmail.com (64.4.16.198) by aosake.net (Mercury/32 v4.01a) with ESMTP ID MG00002D;
> 15 Sep 2004 21:01:31 -0700
> Received: from mail pickup service by hotmail.com with Microsoft SMTPSVC;
> Wed, 15 Sep 2004 20:55:02 -0700
> Received: from 64.161.30.112 by bay22-dav18.bay22.hotmail.com with DAV;
> Thu, 16 Sep 2004 03:55:02 +0000
> X-Originating-IP: [64.161.30.112]
> X-Originating-Email: [..Ç..@hotmail.com]
> X-Sender: ..Ç..@hotmail.com
> From: "..Ç.." <..Ç..@hotmail.com>
> To: <..Ç..@aosake.net>
> Subject: Fwd as attachment, X-Message-Info question
> Date: Wed, 15 Sep 2004 20:54:29 -0700
> Organization: ..Ç..
> MIME-Version: 1.0
> Content-Type: multipart/mixed;
> boundary="----=_NextPart_000_0005_01C49B66.31BDAC60"
> X-Priority: 3
> X-MSMail-Priority: Normal
> X-Mailer: Microsoft Outlook Express 6.00.2800.1437
> Disposition-Notification-To: "..Ç.." <..Ç..@hotmail.com>
> X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1441
> Message-ID: <BAY22-DAV18nz...@hotmail.com>
> X-OriginalArrivalTime: 16 Sep 2004 03:55:02.0785 (UTC) FILETIME=[F1D97710:01C49BA0]
> X-AC-Weight: [####] (Whitelisted) -9999
> X-CC-Diagnostic: Body contains "This is just a test" (-9999)
> X-PMFLAGS: 570949632 0 1 6847262C.CNM

Where, in the forward sets of headers, is the "X-Message-Info:" from the
original message? I can't test MS Outlook, I don't have a copy; maybe that
has a "resend" option other than "Forward" or "Forward As Attachment". Maybe
that "resend" keeps the "X-Message-Info:" headers intact. I wouldn't know;
but I haven't got any correspondents sending me messages from Hotmail
accounts using MS Outlook.

Since I don't received any email to my non Hotmail accounts which included
"X-Message-Info:" in the headers, except for spam, I find that a useful line
to filter spam by.

0 new messages