Authentic Spammer

I saw something new the other day. A spam e-mail message slipped past SpamButcher, and was flagged by Outlook as having an "Authentic Sender, Hash: SfOvRiCj."

On the surface it sounds like the message was signed by some sort of Sender-ID protocol intended to help email filtering systems. I looked through the message's header and found:

X-Message-flag: Authentic Sender, Hash: SfOvRiCj

I proceeded to do some research on the flag via my favorite research tools. I didn't find any conclusive information. A lot of people have seen this, but no one seems to know what it is.

I did some experiments - and was shocked at what I found.

If you put anything in the X-Message-flag , Outlook will flag the message and display the associated text above the message sender!

The potential for abuse is astounding. Imagine messages flagged with "Message attachment certified safe" or "Legitimate banking site identified." The possibilities for senders of spam email, virus writers, and "phishermen" are endless.

I tried some test messages with headers similar to the above. They worked flawlessly. The tests were conducted with Outlook 2002. I can't say for sure if older or newer versions of Outlook are at risk. Microsoft has made efforts to incorporate some antispam email features into recent versions.

SpamButcher can be used as a powerful spam filter for Outlook. It also works with almost any other mail client supporting the POP3 standard.

Back