Outlook rewrites subject line to "SPAM: [original subject]"

N

noctufaber

I'm working with a customer of mine who I believe has some form o
malware on his machine that is rewriting the subject line for all o
his outbound emails. Here are the symptoms.

1. The office has quite a few users and they all use the same SMT
server. Only one user is has this problem.
2. When the problem user composes an email with a certain subject, th
recipient receives the email, but the subject is always preceded wit
SPAM:
3. The mail headers show that Spam Assassin looked at it, but score
it as non-spam.

Has anyone heard of or seen anything like this? Does any have an
ideas how to fix it? I have included the mail headers below (wit
slight modifications to protect the innocent):

From - Wed Jul 2 22:31:32 2008
X-Account-Key: account5
X-UIDL: 1215019732.12766.avenger.weirdwares.com,S=3626
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-Path: (e-mail address removed)
Delivered-To: (e-mail address removed)
Received: (qmail 12764 invoked by uid 89); 2 Jul 2008 17:28:52 -0000
Received: by simscan 1.3.1 ppid: 12743, pid: 12744, t: 3.2986s
scanners: attach: 1.3.1 clamav: 0.92/m:45/d:5110 spam: 3.1.7
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
avenger.weirdwares.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.
tests=AWL,BAYES_20,HTML_MESSAGE,
RDNS_NONE autolearn=no version=3.2.4
Received: from unknown (HELO problemuser.com) (127.0.0.1)
by avenger.weirdwares.com with (DHE-RSA-AES256-SHA encrypted) SMTP;
Jul 2008 17:28:48 -0000
Received-SPF: pass (avenger.weirdwares.com: SPF record a
problemuser.com designates 127.0.0.1 as permitted sender)
Received: from ADPFINANCE ([127.0.0.1])
by lasvegasferrari.com (8.12.11/8.12.11) with ESMTP id m62HSlM9017683
for (e-mail address removed); Wed, 2 Jul 2008 12:28:48 -0500
Reply-To: (e-mail address removed)
From: "Problem User" (e-mail address removed)
To: "'Support User'" (e-mail address removed)
Subject: SPAM: Website
Date: Wed, 2 Jul 2008 11:24:25 -0600
Message-ID: 049d01c8dc68$7a103090$0490a8c0@ADPFINANCE
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_049E_01C8DC36.2F75C090"
X-Mailer: Microsoft Office Outlook 11
thread-index: AcjcaHl8gIrxSrn5TmqGq4RNiT0f5g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

------=_NextPart_000_049E_01C8DC36.2F75C090
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bi
 
D

DL

The word 'Spam' is generally appended by either the recepients anti spam/AV
application or their ISP's filters
Its unlikely to be anything to do with the senders PC, and certainly not
Outlook


noctufaber said:
I'm working with a customer of mine who I believe has some form of
malware on his machine that is rewriting the subject line for all of
his outbound emails. Here are the symptoms.

1. The office has quite a few users and they all use the same SMTP
server. Only one user is has this problem.
2. When the problem user composes an email with a certain subject, the
recipient receives the email, but the subject is always preceded with
SPAM:
3. The mail headers show that Spam Assassin looked at it, but scored
it as non-spam.

Has anyone heard of or seen anything like this? Does any have any
ideas how to fix it? I have included the mail headers below (with
slight modifications to protect the innocent):

From - Wed Jul 2 22:31:32 2008
X-Account-Key: account5
X-UIDL: 1215019732.12766.avenger.weirdwares.com,S=3626
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-Path: (e-mail address removed)
Delivered-To: (e-mail address removed)
Received: (qmail 12764 invoked by uid 89); 2 Jul 2008 17:28:52 -0000
Received: by simscan 1.3.1 ppid: 12743, pid: 12744, t: 3.2986s
scanners: attach: 1.3.1 clamav: 0.92/m:45/d:5110 spam: 3.1.7
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
avenger.weirdwares.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0
tests=AWL,BAYES_20,HTML_MESSAGE,
RDNS_NONE autolearn=no version=3.2.4
Received: from unknown (HELO problemuser.com) (127.0.0.1)
by avenger.weirdwares.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 2
Jul 2008 17:28:48 -0000
Received-SPF: pass (avenger.weirdwares.com: SPF record at
problemuser.com designates 127.0.0.1 as permitted sender)
Received: from ADPFINANCE ([127.0.0.1])
by lasvegasferrari.com (8.12.11/8.12.11) with ESMTP id m62HSlM9017683
for (e-mail address removed); Wed, 2 Jul 2008 12:28:48 -0500
Reply-To: (e-mail address removed)
From: "Problem User" (e-mail address removed)
To: "'Support User'" (e-mail address removed)
Subject: SPAM: Website
Date: Wed, 2 Jul 2008 11:24:25 -0600
Message-ID: 049d01c8dc68$7a103090$0490a8c0@ADPFINANCE
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_049E_01C8DC36.2F75C090"
X-Mailer: Microsoft Office Outlook 11
thread-index: AcjcaHl8gIrxSrn5TmqGq4RNiT0f5g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

------=_NextPart_000_049E_01C8DC36.2F75C090
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Click to expand...
 
D

Diane Poremsky {MVP}

While its very common for it to happen by mail server filtering, a 3rd party
antispam filter installed on the workstation could also be doing it.



** Please include your Outlook version, Account type, and Windows Version
when requesting assistance **




DL said:
The word 'Spam' is generally appended by either the recepients anti
spam/AV application or their ISP's filters
Its unlikely to be anything to do with the senders PC, and certainly not
Outlook


noctufaber said:
I'm working with a customer of mine who I believe has some form of
malware on his machine that is rewriting the subject line for all of
his outbound emails. Here are the symptoms.

1. The office has quite a few users and they all use the same SMTP
server. Only one user is has this problem.
2. When the problem user composes an email with a certain subject, the
recipient receives the email, but the subject is always preceded with
SPAM:
3. The mail headers show that Spam Assassin looked at it, but scored
it as non-spam.

Has anyone heard of or seen anything like this? Does any have any
ideas how to fix it? I have included the mail headers below (with
slight modifications to protect the innocent):

From - Wed Jul 2 22:31:32 2008
X-Account-Key: account5
X-UIDL: 1215019732.12766.avenger.weirdwares.com,S=3626
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-Path: (e-mail address removed)
Delivered-To: (e-mail address removed)
Received: (qmail 12764 invoked by uid 89); 2 Jul 2008 17:28:52 -0000
Received: by simscan 1.3.1 ppid: 12743, pid: 12744, t: 3.2986s
scanners: attach: 1.3.1 clamav: 0.92/m:45/d:5110 spam: 3.1.7
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
avenger.weirdwares.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0
tests=AWL,BAYES_20,HTML_MESSAGE,
RDNS_NONE autolearn=no version=3.2.4
Received: from unknown (HELO problemuser.com) (127.0.0.1)
by avenger.weirdwares.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 2
Jul 2008 17:28:48 -0000
Received-SPF: pass (avenger.weirdwares.com: SPF record at
problemuser.com designates 127.0.0.1 as permitted sender)
Received: from ADPFINANCE ([127.0.0.1])
by lasvegasferrari.com (8.12.11/8.12.11) with ESMTP id m62HSlM9017683
for (e-mail address removed); Wed, 2 Jul 2008 12:28:48 -0500
Reply-To: (e-mail address removed)
From: "Problem User" (e-mail address removed)
To: "'Support User'" (e-mail address removed)
Subject: SPAM: Website
Date: Wed, 2 Jul 2008 11:24:25 -0600
Message-ID: 049d01c8dc68$7a103090$0490a8c0@ADPFINANCE
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_049E_01C8DC36.2F75C090"
X-Mailer: Microsoft Office Outlook 11
thread-index: AcjcaHl8gIrxSrn5TmqGq4RNiT0f5g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

------=_NextPart_000_049E_01C8DC36.2F75C090
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Click to expand...
Click to expand...
 
N

noctufaber

Thanks for checking into this. I believe it is likely a 3rd party too
on the workstation too. Does anyone know why a third part tool woul
mark your outbound emails with SPAM: in the subject? Does anyone kno
what tools do this?

Thanks,

While its very common for it to happen by mail server filtering, a 3r
party
antispam filter installed on the workstation could also be doing it.



** Please include your Outlook version, Account type, and Window
Version
when requesting assistance **




"DL" address@invalid wrote in message
The word 'Spam' is generally appended by either the recepients anti
spam/AV application or their ISP's filters
Its unlikely to be anything to do with the senders PC, and certainl
not
Outlook


"noctufaber" (e-mail address removed) wrote in message

I'm working with a customer of mine who I believe has some form of
malware on his machine that is rewriting the subject line for all of
his outbound emails. Here are the symptoms.

1. The office has quite a few users and they all use the same SMTP
server. Only one user is has this problem.
2. When the problem user composes an email with a certain subject
the
recipient receives the email, but the subject is always preceded with
SPAM:
3. The mail headers show that Spam Assassin looked at it, but scored
it as non-spam.

Has anyone heard of or seen anything like this? Does any have any
ideas how to fix it? I have included the mail headers below (with
slight modifications to protect the innocent):

From - Wed Jul 2 22:31:32 2008
X-Account-Key: account5
X-UIDL: 1215019732.12766.avenger.weirdwares.com,S=3626
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-Path: (e-mail address removed)
Delivered-To: (e-mail address removed)
Received: (qmail 12764 invoked by uid 89); 2 Jul 2008 17:28:52 -0000
Received: by simscan 1.3.1 ppid: 12743, pid: 12744, t: 3.2986s
scanners: attach: 1.3.1 clamav: 0.92/m:45/d:5110 spam: 3.1.7
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
avenger.weirdwares.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0
tests=AWL,BAYES_20,HTML_MESSAGE,
RDNS_NONE autolearn=no version=3.2.4
Received: from unknown (HELO problemuser.com) (127.0.0.1)
by avenger.weirdwares.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 2
Jul 2008 17:28:48 -0000
Received-SPF: pass (avenger.weirdwares.com: SPF record at
problemuser.com designates 127.0.0.1 as permitted sender)
Received: from ADPFINANCE ([127.0.0.1])
by lasvegasferrari.com (8.12.11/8.12.11) with ESMTP id m62HSlM9017683
for (e-mail address removed); Wed, 2 Jul 2008 12:28:48 -0500
Reply-To: (e-mail address removed)
From: "Problem User" (e-mail address removed)
To: "'Support User'" (e-mail address removed)
Subject: SPAM: Website
Date: Wed, 2 Jul 2008 11:24:25 -0600
Message-ID: 049d01c8dc68$7a103090$0490a8c0@ADPFINANCE
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_049E_01C8DC36.2F75C090"
X-Mailer: Microsoft Office Outlook 11
thread-index: AcjcaHl8gIrxSrn5TmqGq4RNiT0f5g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

------=_NextPart_000_049E_01C8DC36.2F75C090
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Click to expand...
 
D

Diane Poremsky {MVP}

Check the workstation for antispam applications.



** Please include your Outlook version, Account type, and Windows Version
when requesting assistance **




noctufaber said:
Thanks for checking into this. I believe it is likely a 3rd party tool
on the workstation too. Does anyone know why a third part tool would
mark your outbound emails with SPAM: in the subject? Does anyone know
what tools do this?

Thanks,

While its very common for it to happen by mail server filtering, a 3rd
party
antispam filter installed on the workstation could also be doing it.



** Please include your Outlook version, Account type, and Windows
Version
when requesting assistance **




"DL" address@invalid wrote in message
The word 'Spam' is generally appended by either the recepients anti
spam/AV application or their ISP's filters
Its unlikely to be anything to do with the senders PC, and certainly
not
Outlook


"noctufaber" (e-mail address removed) wrote in message

I'm working with a customer of mine who I believe has some form of
malware on his machine that is rewriting the subject line for all of
his outbound emails. Here are the symptoms.

1. The office has quite a few users and they all use the same SMTP
server. Only one user is has this problem.
2. When the problem user composes an email with a certain subject,
the
recipient receives the email, but the subject is always preceded with
SPAM:
3. The mail headers show that Spam Assassin looked at it, but scored
it as non-spam.

Has anyone heard of or seen anything like this? Does any have any
ideas how to fix it? I have included the mail headers below (with
slight modifications to protect the innocent):

From - Wed Jul 2 22:31:32 2008
X-Account-Key: account5
X-UIDL: 1215019732.12766.avenger.weirdwares.com,S=3626
X-Mozilla-Status: 0001
X-Mozilla-Status2: 00000000
X-Mozilla-Keys:

Return-Path: (e-mail address removed)
Delivered-To: (e-mail address removed)
Received: (qmail 12764 invoked by uid 89); 2 Jul 2008 17:28:52 -0000
Received: by simscan 1.3.1 ppid: 12743, pid: 12744, t: 3.2986s
scanners: attach: 1.3.1 clamav: 0.92/m:45/d:5110 spam: 3.1.7
X-Spam-Checker-Version: SpamAssassin 3.2.4 (2008-01-01) on
avenger.weirdwares.com
X-Spam-Level:
X-Spam-Status: No, score=-0.7 required=5.0
tests=AWL,BAYES_20,HTML_MESSAGE,
RDNS_NONE autolearn=no version=3.2.4
Received: from unknown (HELO problemuser.com) (127.0.0.1)
by avenger.weirdwares.com with (DHE-RSA-AES256-SHA encrypted) SMTP; 2
Jul 2008 17:28:48 -0000
Received-SPF: pass (avenger.weirdwares.com: SPF record at
problemuser.com designates 127.0.0.1 as permitted sender)
Received: from ADPFINANCE ([127.0.0.1])
by lasvegasferrari.com (8.12.11/8.12.11) with ESMTP id m62HSlM9017683
for (e-mail address removed); Wed, 2 Jul 2008 12:28:48 -0500
Reply-To: (e-mail address removed)
From: "Problem User" (e-mail address removed)
To: "'Support User'" (e-mail address removed)
Subject: SPAM: Website
Date: Wed, 2 Jul 2008 11:24:25 -0600
Message-ID: 049d01c8dc68$7a103090$0490a8c0@ADPFINANCE
MIME-Version: 1.0
Content-Type: multipart/alternative;
boundary="----=_NextPart_000_049E_01C8DC36.2F75C090"
X-Mailer: Microsoft Office Outlook 11
thread-index: AcjcaHl8gIrxSrn5TmqGq4RNiT0f5g==
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2900.3198

This is a multi-part message in MIME format.

------=_NextPart_000_049E_01C8DC36.2F75C090
Content-Type: text/plain;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
Click to expand...
Click to expand...
 

Ask a Question

Want to reply to this thread or ask your own question?

You'll need to choose a username for the site, which only take a couple of moments. After that, you can post your question and our members will help you out.

Ask a Question

Similar Threads

URGENT: Receiving spam email sent from myself! 3
Outlook 2003 - PDF attachments arrive as raw HTML 0
Serious Spam Filtering Challenges 6
Email headers shwoing in between email message text 1
Interpreting Email headers 5
Spam from "me" 3
Email From Specific Sender Comes Through As Html 5
Outlook 2007 not parsing links... 2

Top