X-Unsent: 1
Given the small success we have had in sidelining spam by testing for the presence of the X-Unsent header, I was curious to know how it came to be there so did a little digging.A number of different web sites pointed to a single application of this header in a single email program. That program is Microsoft Outlook Express and the application of X-Unsent is to record a message as never having been sent (perhaps it is a draft, or stationery).
In the ordinary run of things, the X-Unsent header would be stripped by OE at the time the message was queued for transmission. So how come it is still there in messages which, by virtue of their presence in our spamtrap, can clearly be demonstrated to have been sent?
Another clue may be that a number of web sites suggest manually setting the field X-Unsent: 1 when importing a .eml file into OE. This apparently permits the use of that file as stationery as OE now thinks it is a locally originated message which has never been sent.
Putting 2 and 2 together and getting a number which is close enough to 4 for all practical purposes, I give you my hypothesis:
Some people wishing to send bulk messages use OE to create a pretty looking, HTML formatted version of their email.
OE is not a particularly useful tool to send the thing once it is composed however, so they save it as stationery and export to an RFC2822 format .eml file. Because OE never sent it, the X-Unsent: 1 header is present in the exported file.
Some other piece of software is then used to merge a list of target email addresses and send the message to that list, possibly direct-to-MX. Because that piece of software is unaware of the correct use of X-Unsent, the header is ignored by it and it is simply copied intact into each outbound message as it is transmitted,
Given this, it is implicit that any message your receive that includes the header X-Unsent has been sent in bulk, one of only two tests that qualify any email as spam. The other test for spam is whether email is unsolicited and this is often a subjective judgement.
However, I have no X-Unsent: 1 samples here where that second test is not also true. One might be tempted to assume that a legitimate email marketer (discuss among yourselves) would know about the correct use of X-Unsent.
This being so, sidelining or even refusing email where the header X-Unsent exists looks like a pretty safe bet to me.
See also:
Road Kill
1. Eric Parsons28/06/2005 16:20:06
Homepage: http://startingblockcomputing.com
Wow, good analysis! (as if I expected anything less...)
One point here (after discussing amonst myself). From my vantage point, I would think that email marketers would want to (and have proven to be voracious about) paint their messages in the best camoflage they can.
A simple thing such as "remove the flippin X-Unsent header" would seem almost elementary.
2. Eric Parsons30/06/2005 20:39:10
Homepage: http://startingblockcomputing.com
Have recently had to make an exception to this rule. A promanent listserver sends everything out with the header intact. No big deal, just "and sender does not contain <name of server>"
Unable to post a comment? Please read this for a possible explanation...
-