Why so many versions of microsoft X-MimeOLE and X-mailer Outlook versions?

Discussion:

(too old to reply)

Spam Guy

2006-06-24 14:13:03 UTC

In looking at the X-MimeOLE and X-Mailer lines in a lot of e-mail
(both good and spam) there appears to be dozens of different versions
such as:

X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

Why are there so many different versions of the above 2 lines? What
causes different computers to generate different numeric versions of
those lines?

Is it because there are so many updates/patches for Windows?

Can one tell which patch or update level a given computer is at based
on receiving an e-mail from that computer and looking at the above 2
lines?

Mike Easter

2006-06-24 15:19:16 UTC

Permalink

Post by Spam Guy
In looking at the X-MimeOLE and X-Mailer lines in a lot of e-mail
(both good and spam) there appears to be dozens of different versions
X-Mailer: Microsoft Outlook Express 6.00.2900.2180
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.2180

That particular one is the Windows XP SP2 upgrade of OE/IE6.

Mine is OE/IE6 without the XP SP2, since I don't have XP.

X-Newsreader: Microsoft Outlook Express 6.00.2800.1437
X-MIMEOLE: Produced By Microsoft MimeOLE V6.00.2800.1441

Post by Spam Guy
Why are there so many different versions of the above 2 lines? What
causes different computers to generate different numeric versions of
those lines?

The version of OE springs from the version of IE + whatever Win upgrades
may have become 'integrated' with the OE/IE.

Post by Spam Guy
Is it because there are so many updates/patches for Windows?

Yes, Win & IE.

Post by Spam Guy
Can one tell which patch or update level a given computer is at based
on receiving an e-mail from that computer and looking at the above 2
lines?

Quite a bit, as per the example you gave.

--
Mike Easter

Spam Guy

2006-06-24 20:41:21 UTC

Permalink

I did a search of my e-mail repository where X-MimeOLE didn't
contained "microsoft". I was expecting all such hits to be spam, as
the following three examples show:

X-Mailer: physiognomy 0.27.3519915
X-MimeOLE: perturb 71.58.54735158

X-Mailer: wishy 57.401.1114041
X-MimeOLE: childhood 39.05.9026925

X-Mailer: praseodymium 8.72.57465
X-MimeOLE: cincinnati 4.014.589661

Clearly there is a spammer out there that is using dictionary words to
generate those lines. There were 5 such matches so far this year like
the above 3. But in two cases there was a false positive:

X-Mailer: JMail 4.4 by Dimac
X-MIMEOLE: Produced by Namespro.ca

X-Mailer: MSN 8.5
X-MimeOLE: Produced By MSN MimeOLE V8.50.0017.1202

I was expecting that any header that contained the X-MimeOLE line must
have "microsoft" in that line. That rule proves to be correct in the
vast majority of cases except for the two given above.

I then searched for cases where X-MimeOLE contained "microsoft" but
the X-Mailer did not. I found 240 such cases across all my e-mails,
with most happening in spam from 2002 to 2005 such as these 3
examples:

X-Mailer: MIME-tools 5.503 (Entity 5.501)
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.181

X-Mailer: AOL 7.0 for Windows US sub 118
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.3790.1830

X-Mailer: Councillor yq 3.58
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2800.1106

But then I found about 2 dozen false positives, practically all having
to do with e-mail from Hilton hotels, such as this:

X-Mailer: UnityMail
X-UnityUser: Epsilon
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4910.0300

When I perform this search again (and NOT looking for "UnityMail" in
the X-Mailer line) the only 2 false positives were these:

X-Mailer: Internet Mail Service (5.5.2657.72)
x-mimeole: Produced By Microsoft Exchange V6.0.6603.0
(this was an e-mail delivery notification from UCLA)

X-Mailer: Internet Mail Service (5.5.2653.19)
x-mimeole: Produced By Microsoft Exchange V6.5.7226.0
(this was an e-mail delivery notification from U-Toronto)

So we see that Microsoft Exchange doesn't generate an X-mailer line
that includes "microsoft" for some reason.

Conclusions:

1) If the X-MimeOLE contains Microsoft, then so too should the
X-Mailer line (and a handful of situations where it does
not can be taken into account when implimenting a filter
for this situation)

2) If there is an X-MimeOLE line present, and it doesn't contain
"microsoft" or "msn" then again that can be filtered as
spam.

3) if both lines are present (X-MimeOLE and X-Mailer) and
neither contain "Microsoft" or "MSN" then in practically
all cases that is spam. Of the 25 such cases like this
that I've seen, they have all occurred since August 2005
to the present.