Mailing List Archive

Are X-MC-xxx headers legit?
I've started seeing a number of spams with the following block of X headers
in it. I've never seen these before. While these look really fake to me
(from the content of most of them), does any real tool or site make headers
like this, or are they just from some spam tool and I can use them as a
guarantee of spam?

x-mcpf-jobid: mc.us6_13712451.1216993.5a2d921a72084.full_000003
X-MC-User: 6b669534c4be2b401d8744486
X-MC-Tags:45829
X-MC-Track:456
X-MC-Autotext:global
X-MC-AutoHtml: format
X-MC-Template: smiley
X-MC-MergeVars: {"_rcpt": "emailadress@domain.com", "fname": "John",
"lname":"Smith"}
X-MC-GM-Analytics: normal
X-MC-GoogleAnalyticsCampaign: good
X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
X-MC-URLStripQS: link to <AsianBeauties Team>
X-MC-PreserveRecipients: 123
X-MC-InlineCSS: used
X-MC-Subaccount: sendgrid
X-MC-ViewContentLink: {uurl}
X-MC-BccAddress: {ourl}
X-MC-Important: notes
X-MC-IpPool: 99%
X-MC-ReturnPathDomain: server1.tech
X-MC-SendAt: "AsianBeauties Team"
X-MC-MergeLanguage: {all language}
X-MC-MergeVars: {"var1": "global value 1"}
X-MC-MergeVars: {"_rcpt": "emailadress@domain.com", "fname": "John",
"lname":"Smith"}
X-MC-GoogleAnalytics: www.domain.com, domain.
X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
X-MC-Metadata: { "group_id": "users_active" }
X-MC-Metadata: { "_rcpt": "foo@example.com", "user_id": "123" }
X-MC-Metadata: { "_rcpt": "bar@example.com", "user_id": "456" }
x-mcda: TRUE
Re: Are X-MC-xxx headers legit? [ In reply to ]
Loren,

See https://tools.ietf.org/html/rfc6648 but basically for email think of X-
as local headers, 100% allowed, do whatever you want with them, no one
should pay any attention unless you publish what they mean. Lots of places,
my firm included, add X-* headers for various purposes.

Regards,
KAM
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Sun, Mar 28, 2021 at 11:08 PM Loren Wilton <lwilton@earthlink.net> wrote:

> I've started seeing a number of spams with the following block of X
> headers
> in it. I've never seen these before. While these look really fake to me
> (from the content of most of them), does any real tool or site make
> headers
> like this, or are they just from some spam tool and I can use them as a
> guarantee of spam?
>
> x-mcpf-jobid: mc.us6_13712451.1216993.5a2d921a72084.full_000003
> X-MC-User: 6b669534c4be2b401d8744486
> X-MC-Tags:45829
> X-MC-Track:456
> X-MC-Autotext:global
> X-MC-AutoHtml: format
> X-MC-Template: smiley
> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com", "fname": "John",
> "lname":"Smith"}
> X-MC-GM-Analytics: normal
> X-MC-GoogleAnalyticsCampaign: good
> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
> X-MC-URLStripQS: link to <AsianBeauties Team>
> X-MC-PreserveRecipients: 123
> X-MC-InlineCSS: used
> X-MC-Subaccount: sendgrid
> X-MC-ViewContentLink: {uurl}
> X-MC-BccAddress: {ourl}
> X-MC-Important: notes
> X-MC-IpPool: 99%
> X-MC-ReturnPathDomain: server1.tech
> X-MC-SendAt: "AsianBeauties Team"
> X-MC-MergeLanguage: {all language}
> X-MC-MergeVars: {"var1": "global value 1"}
> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com", "fname": "John",
> "lname":"Smith"}
> X-MC-GoogleAnalytics: www.domain.com, domain.
> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
> X-MC-Metadata: { "group_id": "users_active" }
> X-MC-Metadata: { "_rcpt": "foo@example.com", "user_id": "123" }
> X-MC-Metadata: { "_rcpt": "bar@example.com", "user_id": "456" }
> x-mcda: TRUE
>
>
>
Re: Are X-MC-xxx headers legit? [ In reply to ]
That is well known. Now, who is using the X-MC-xxx header set and are they
legitimate?

{^_^}

On 20210328 21:20:17, Kevin A. McGrail wrote:
> Loren,
>
> See https://tools.ietf.org/html/rfc6648 <https://tools.ietf.org/html/rfc6648>
> but basically for email think of X- as local headers, 100% allowed, do
> whatever you want with them, no one should pay any attention unless you
> publish what they mean. Lots of places, my firm included, add X-* headers for
> various purposes.
>
> Regards,
> KAM
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> -
> 703.798.0171
>
>
> On Sun, Mar 28, 2021 at 11:08 PM Loren Wilton <lwilton@earthlink.net
> <mailto:lwilton@earthlink.net>> wrote:
>
> I've started seeing a number of spams with the following block of X headers
> in it. I've never seen these before. While these look really fake to me
> (from the content of most of them), does any real tool or site make headers
> like this, or are they just from some spam tool and I can use them as a
> guarantee of spam?
>
> x-mcpf-jobid: mc.us6_13712451.1216993.5a2d921a72084.full_000003
> X-MC-User: 6b669534c4be2b401d8744486
> X-MC-Tags:45829
> X-MC-Track:456
> X-MC-Autotext:global
> X-MC-AutoHtml: format
> X-MC-Template: smiley
> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com
> <mailto:emailadress@domain.com>", "fname": "John",
> "lname":"Smith"}
> X-MC-GM-Analytics: normal
> X-MC-GoogleAnalyticsCampaign: good
> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
> X-MC-URLStripQS:   link to <AsianBeauties Team>
> X-MC-PreserveRecipients: 123
> X-MC-InlineCSS:  used
> X-MC-Subaccount: sendgrid
> X-MC-ViewContentLink: {uurl}
> X-MC-BccAddress: {ourl}
> X-MC-Important: notes
> X-MC-IpPool: 99%
> X-MC-ReturnPathDomain: server1.tech
> X-MC-SendAt: "AsianBeauties Team"
> X-MC-MergeLanguage: {all language}
> X-MC-MergeVars: {"var1": "global value 1"}
> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com
> <mailto:emailadress@domain.com>", "fname": "John",
> "lname":"Smith"}
> X-MC-GoogleAnalytics: www.domain.com <http://www.domain.com>, domain.
> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
> X-MC-Metadata: { "group_id": "users_active" }
> X-MC-Metadata: { "_rcpt": "foo@example.com <mailto:foo@example.com>",
> "user_id": "123" }
> X-MC-Metadata: { "_rcpt": "bar@example.com <mailto:bar@example.com>",
> "user_id": "456" }
> x-mcda: TRUE
>
>
Re: Are X-MC-xxx headers legit? [ In reply to ]
Ahh, I was dense. the X-MC headers are mailchimp
https://mailchimp.com/developer/transactional/docs/smtp-integration/
--
Kevin A. McGrail
Member, Apache Software Foundation
Chair Emeritus Apache SpamAssassin Project
https://www.linkedin.com/in/kmcgrail - 703.798.0171


On Mon, Mar 29, 2021 at 12:26 AM jdow <jdow@earthlink.net> wrote:

> That is well known. Now, who is using the X-MC-xxx header set and are they
> legitimate?
>
> {^_^}
>
> On 20210328 21:20:17, Kevin A. McGrail wrote:
>
> Loren,
>
> See https://tools.ietf.org/html/rfc6648 but basically for email think of
> X- as local headers, 100% allowed, do whatever you want with them, no one
> should pay any attention unless you publish what they mean. Lots of places,
> my firm included, add X-* headers for various purposes.
>
> Regards,
> KAM
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail - 703.798.0171
>
>
> On Sun, Mar 28, 2021 at 11:08 PM Loren Wilton <lwilton@earthlink.net>
> wrote:
>
>> I've started seeing a number of spams with the following block of X
>> headers
>> in it. I've never seen these before. While these look really fake to me
>> (from the content of most of them), does any real tool or site make
>> headers
>> like this, or are they just from some spam tool and I can use them as a
>> guarantee of spam?
>>
>> x-mcpf-jobid: mc.us6_13712451.1216993.5a2d921a72084.full_000003
>> X-MC-User: 6b669534c4be2b401d8744486
>> X-MC-Tags:45829
>> X-MC-Track:456
>> X-MC-Autotext:global
>> X-MC-AutoHtml: format
>> X-MC-Template: smiley
>> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com", "fname": "John",
>> "lname":"Smith"}
>> X-MC-GM-Analytics: normal
>> X-MC-GoogleAnalyticsCampaign: good
>> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
>> X-MC-URLStripQS: link to <AsianBeauties Team>
>> X-MC-PreserveRecipients: 123
>> X-MC-InlineCSS: used
>> X-MC-Subaccount: sendgrid
>> X-MC-ViewContentLink: {uurl}
>> X-MC-BccAddress: {ourl}
>> X-MC-Important: notes
>> X-MC-IpPool: 99%
>> X-MC-ReturnPathDomain: server1.tech
>> X-MC-SendAt: "AsianBeauties Team"
>> X-MC-MergeLanguage: {all language}
>> X-MC-MergeVars: {"var1": "global value 1"}
>> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com", "fname": "John",
>> "lname":"Smith"}
>> X-MC-GoogleAnalytics: www.domain.com, domain.
>> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
>> X-MC-Metadata: { "group_id": "users_active" }
>> X-MC-Metadata: { "_rcpt": "foo@example.com", "user_id": "123" }
>> X-MC-Metadata: { "_rcpt": "bar@example.com", "user_id": "456" }
>> x-mcda: TRUE
>>
>>
>>
>
Re: Are X-MC-xxx headers legit? [ In reply to ]
Thank you, sir.

{^_^}

On 20210328 21:29:55, Kevin A. McGrail wrote:
> Ahh, I was dense.  the X-MC headers are mailchimp
> https://mailchimp.com/developer/transactional/docs/smtp-integration/
> <https://mailchimp.com/developer/transactional/docs/smtp-integration/>
> --
> Kevin A. McGrail
> Member, Apache Software Foundation
> Chair Emeritus Apache SpamAssassin Project
> https://www.linkedin.com/in/kmcgrail <https://www.linkedin.com/in/kmcgrail> -
> 703.798.0171
>
>
> On Mon, Mar 29, 2021 at 12:26 AM jdow <jdow@earthlink.net
> <mailto:jdow@earthlink.net>> wrote:
>
> That is well known. Now, who is using the X-MC-xxx header set and are they
> legitimate?
>
> {^_^}
>
> On 20210328 21:20:17, Kevin A. McGrail wrote:
>> Loren,
>>
>> See https://tools.ietf.org/html/rfc6648
>> <https://tools.ietf.org/html/rfc6648> but basically for email think of X-
>> as local headers, 100% allowed, do whatever you want with them, no one
>> should pay any attention unless you publish what they mean. Lots of
>> places, my firm included, add X-* headers for various purposes.
>>
>> Regards,
>> KAM
>> --
>> Kevin A. McGrail
>> Member, Apache Software Foundation
>> Chair Emeritus Apache SpamAssassin Project
>> https://www.linkedin.com/in/kmcgrail
>> <https://www.linkedin.com/in/kmcgrail> - 703.798.0171
>>
>>
>> On Sun, Mar 28, 2021 at 11:08 PM Loren Wilton <lwilton@earthlink.net
>> <mailto:lwilton@earthlink.net>> wrote:
>>
>> I've started seeing a number of spams with the following block of X
>> headers
>> in it. I've never seen these before. While these look really fake to me
>> (from the content of most of them), does any real tool or site make
>> headers
>> like this, or are they just from some spam tool and I can use them as a
>> guarantee of spam?
>>
>> x-mcpf-jobid: mc.us6_13712451.1216993.5a2d921a72084.full_000003
>> X-MC-User: 6b669534c4be2b401d8744486
>> X-MC-Tags:45829
>> X-MC-Track:456
>> X-MC-Autotext:global
>> X-MC-AutoHtml: format
>> X-MC-Template: smiley
>> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com
>> <mailto:emailadress@domain.com>", "fname": "John",
>> "lname":"Smith"}
>> X-MC-GM-Analytics: normal
>> X-MC-GoogleAnalyticsCampaign: good
>> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
>> X-MC-URLStripQS:   link to <AsianBeauties Team>
>> X-MC-PreserveRecipients: 123
>> X-MC-InlineCSS:  used
>> X-MC-Subaccount: sendgrid
>> X-MC-ViewContentLink: {uurl}
>> X-MC-BccAddress: {ourl}
>> X-MC-Important: notes
>> X-MC-IpPool: 99%
>> X-MC-ReturnPathDomain: server1.tech
>> X-MC-SendAt: "AsianBeauties Team"
>> X-MC-MergeLanguage: {all language}
>> X-MC-MergeVars: {"var1": "global value 1"}
>> X-MC-MergeVars: {"_rcpt": "emailadress@domain.com
>> <mailto:emailadress@domain.com>", "fname": "John",
>> "lname":"Smith"}
>> X-MC-GoogleAnalytics: www.domain.com <http://www.domain.com>, domain.
>> X-MC-Metadata: { "user_id": "45829", "location_id": "111" }
>> X-MC-Metadata: { "group_id": "users_active" }
>> X-MC-Metadata: { "_rcpt": "foo@example.com <mailto:foo@example.com>",
>> "user_id": "123" }
>> X-MC-Metadata: { "_rcpt": "bar@example.com <mailto:bar@example.com>",
>> "user_id": "456" }
>> x-mcda: TRUE
>>
>>
>
Re: Are X-MC-xxx headers legit? [ In reply to ]
Ah, OK. Looking at the MailChimp page, it appears that these headers appear on a message being sent to MC, and then it extracts them, most likely removes them from the final generated email, and uses them as processing instructions on how to generate the email or sequence of emails. In any case it seems rather unlikely that they should ever appear in a received email message.

And whether they should or not, the values given for about 90% of the headers is simply invalid according to the MC page describing them. The headers that are valid are direct copies of the examples given on the MC page, and would not likely work for any real email campaign.

I'd say that presence of X-MC-xxx headers in a received message is a 100% guarantee of a targeted advertizing message, and a 99% guarantee that the message is a spam. If the values given for the options in the headers are obviously invalid, that rises to a 100% chance that the message is spam.

I'd call these headers a great spam sign.

Loren
Re: Are X-MC-xxx headers legit? [ In reply to ]
On 3/28/2021 11:07 PM, Loren Wilton wrote:
> I've started seeing a number of spams with the following block of X
> headers in it. I've never seen these before. While these look really
> fake to me (from the content of most of them), does any real tool or
> site make headers like this, or are they just from some spam tool and
> I can use them as a guarantee of spam?
>
No.  X-headers generally cannot be trusted.  However, that does not make
them useless.

Your particular headers can be found here:
https://www.rubydoc.info/gems/mandriller/0.2.0/Mandriller/Base

Mandriller is an Action Mailer plugin for MailChimp's Mandrill program;
hence the standard MailChimp headers "X-MC-xxx".

Whatever the case, X-MC-SendAt: "AsianBeauties Team"  is invalid. This
field should contain digits, dashes, colons, and spaces; no alphabet
characters.  See:
https://mailchimp.com/developer/transactional/docs/smtp-integration/X-MC-Send
<https://mailchimp.com/developer/transactional/docs/smtp-integration/#x-mc-sendat>

X-MC-SendAt

Schedule messages to be sent at a future date and time.

FORMAT

UTC timestamp written as YYYY-MM-DD HH:mm:ss

EXAMPLE

X-MC-SendAt: 2024-12-31 23:59:59



Looks like your Email is the zombie offspring of Scriptkiddie meets
Spamkiddie :)

Hope this helps!

-- Jared Hall
Re: Are X-MC-xxx headers legit? [ In reply to ]
On 29 Mar 2021, at 3:20, Loren Wilton wrote:

> I'd say that presence of X-MC-xxx headers in a received message is a
> 100% guarantee of a targeted advertizing message,

If mail comes from MailChimp, I'd say that's a rock-solid determination.

> and a 99% guarantee that the message is a spam. If the values given
> for the options in the headers are obviously invalid, that rises to a
> 100% chance that the message is spam.
>
> I'd call these headers a great spam sign.

I would not be so broad with that. I have 49 messages in my personal
archives with X-MC-User headers, none of which I have classified as
spam. All appear to have come through MailChimp and be sent on behalf of
entities I have given some sort of permission to send me email,
including GitHub, Travis-CI.com, Ars Technica, and both of my local
public radio stations. I'm sure that there would be more of these extant
in my archives if I did not generally unsub from the sorts of mailings
that make the use of MailChimp-like services rational.

I expect that focusing on individual headers (other than X-MC-User)
rather than any and all X-MC-* headers would be a better filtering
approach.

--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Are X-MC-xxx headers legit? [ In reply to ]
> I would not be so broad with that. I have 49 messages in my personal
> archives with X-MC-User headers, none of which I have classified as spam.

Bill, do you see multiple X-MC- headers in the mails that come thru
MailChimp?
As in, "multiple many" or "multiple 2 or 3"? Or just the Users header?

I can't tell from the MailChimp documentation whether the headers will be
generally filtered from the final email message, or passed through. The
majority of them are instructions to MailChimp to do something in either the
headers or body of the message, so really it makes little sense to leave
them in the final message.

I can write rules to detect bogus values for quite a few of the headers, but
the allowed text for a lot of the headers is moderately complicated, so gets
to be a big and expensive regex. It would be a lot easier to just add points
if there are say 3 or more X-MC headers in a row. But of course that is no
good if MC does just pass all the direction headers through to the final
messages it generates.

Thanks,

Loren
Re: Are X-MC-xxx headers legit? [ In reply to ]
On 29 Mar 2021, at 10:25, Loren Wilton wrote:

>> I would not be so broad with that. I have 49 messages in my personal
>> archives with X-MC-User headers, none of which I have classified as
>> spam.
>
> Bill, do you see multiple X-MC- headers in the mails that come thru
> MailChimp?
> As in, "multiple many" or "multiple 2 or 3"? Or just the Users header?

After a closer look, it appears that each of those 49 contains ONLY the
X-MC-User header.

That closer look also indicates that other mail providers use various
X-MC-* headers. Notably Mimecast and MailChannels. I have substantial
quantities of entirely person-to-person messages with
X-MC-Loop-Signature, X-MC-Ingress-Time, and X-MC-Unique headers as well
as a few with X-MC-Relay, X-MC-Mailinglist, X-MC-Metadata, and
X-MC-Track. For example, I have tech support conversations with
customers-of-customers who have those in their mail.

So: I rescind my agreement with the "100% targeted advertising"
judgment.

> I can't tell from the MailChimp documentation whether the headers will
> be generally filtered from the final email message, or passed through.
> The majority of them are instructions to MailChimp to do something in
> either the headers or body of the message, so really it makes little
> sense to leave them in the final message.
>
> I can write rules to detect bogus values for quite a few of the
> headers, but the allowed text for a lot of the headers is moderately
> complicated, so gets to be a big and expensive regex. It would be a
> lot easier to just add points if there are say 3 or more X-MC headers
> in a row. But of course that is no good if MC does just pass all the
> direction headers through to the final messages it generates.

Based on my ANECDOTAL (as it is just mail in my archives, including a
mix of work and personal accounts) evidence, I would guess that
MailChimp only preserves X-MC-User, but that the other M*C* email
service providers have other possibly colliding X-MC-* headers which
occur in some highly wanted but weakly predictable email in uncertain
combinations.

TL;DR: Be careful, it is complicated.


--
Bill Cole
bill@scconsult.com or billcole@apache.org
(AKA @grumpybozo and many *@billmail.scconsult.com addresses)
Not Currently Available For Hire
Re: Are X-MC-xxx headers legit? [ In reply to ]
On Mon, 29 Mar 2021, Loren Wilton wrote:

> I'd call these headers a great spam sign.

Depending on their rarity... :)

Occasionally spammers will screw up and leave template replacement tokens
in their message bodies. Great spam sign, too rare to be useful in
practice.


--
John Hardin KA7OHZ http://www.impsec.org/~jhardin/
jhardin@impsec.org pgpk -a jhardin@impsec.org
key: 0xB8732E79 -- 2D8C 34F4 6411 F507 136C AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
If you ask amateurs to act as front-line security personnel,
you shouldn't be surprised when you get amateur security.
-- Bruce Schneier
-----------------------------------------------------------------------
3 days until April Fools' day
Re: Are X-MC-xxx headers legit? [ In reply to ]
On 2021-03-29 12:11, John Hardin wrote:
> On Mon, 29 Mar 2021, Loren Wilton wrote:
>
>> I'd call these headers a great spam sign.
>
> Depending on their rarity... :)
>
> Occasionally spammers will screw up and leave template replacement
> tokens in their message bodies. Great spam sign, too rare to be useful
> in practice.
>
>
Rare perhaps, but I've used this and other signatures from the design in
combination with keywords that would otherwise generate false positives
to eliminate some specific and persistent irritants, in particular some
purveyors of apparel from India.

--
For SpamAsassin Users List