Spam characteristics appear in two parts of an email: the message header and the message content.
Headers are important to examine because they show the history of the message delivery path as well as some common characteristics of spam. When a message is initially generated, it should include standard header fields such as From, To, Subject, Date, and Message-ID. Other standard headers include Received, Cc, Bcc, etc.
Here are some typical header characteristics that can be found in spam:
The To: / Recipient address field
- The To: or Cc: fields do not contain a recipient email address
- The To: field is empty
- To: field contains an invalid email address
- More than 10 recipients in To: and/or Cc: fields
- Bcc: header exists. In normal email messages, a Bcc: header does not exist since this is stripped from the mail.
The From: / Sender address field
- The address in the From: field is the same as the To: field
- Missing From: field
- Missing or malformed Message ID
X-headers can refer to any non-standard header that gets added at any stage during the sending of an email. Some X-headers are added by spam filters to display the scan results. Examples of X-headers are:
- X-Mailer: This field contains name of the mailing software that was used. If this header contains the name of popular spam software this could indicate that it is a spam message.
- X-Distribution = bulk: Spammers using Pegasus Mail will have ‘X-Distribution: bulk’ added to their mail if it is addressed to a large number of recipients, but this doesn’t occur often. This header can also be used by newsletters (both legit and non-legit), so it’s not the most effective thing to filter by.
- X-UIDL header exists: Incoming messages should not have an X-UIDL header since they are only intended for the mail server to stop it downloading messages more than once, for instance when ‘leave messages on server’ is checked. This header would normally be stripped when the message is received. Spammers add an X-UIDL header to try to get the recipient’s mail server to download multiple copies of their message and therefore increase the chance that the message will be read.
HTML message without a plain text body part
HTML messages usually include a plain text version of the email so that recipients with email clients that cannot read HTML can still view the message in plain text. However, many spammers tend to send HTML messages without this plain text body part, not only to save on size but also to force recipients to read the HTML version.
To see message headers in Outlook (called Internet headers): right-click a message and choose Message Options!