[Rich-M]

Quote:

Originally Posted by tsimmons

Sorry, but Rich-M is 100% WRONG. This is real.

I, too, am having this problem (Outlook 2007). I am a network administrator and I'm very careful about what I run/use/install. I run Avast Professional (paid version) fully up to date and am running a fully patched XPSP3 machine.

The read-receipt thread might be related, but http://forums.microsoft.com/WindowsO...40565&SiteID=2 is the EXACT issue (with no solution yet.) I posted my thoughts there, as well. And before someone says "someone is spoofing your e-mail account" know that I run our company's mail server and I checked the SMTP logs and the messages were in fact sent from my laptop at home USING SMTP AUTHENTICATION (Digest-MD5). All my accounts use IMAP and it was sent using my default account, which is NOT Gmail, so I doubt this is Gmail related.

The other thread mentions the Kapersky scanner finding something so I am trying that and will post the results.

If this were true they would be in the "Sent" box. And if this was a flaw in Outlook 2007, tthen I would see it in one of my 5 email accounts (including Gmail) my Outlook 2007 handles handles. My guess is that someone has altered the anti spam software their isp sites is using or updated it and this will calm down after a few days. I see it on my own server when we do that.

[tsimmons]

Sorry to be contrarian, but I think you are wrong. I've been researching this for several hours (I do this for a living) and I've found a handful of identical (and technically competant) reports of this.

http://www.bleepingcomputer.com/forums/topic173074.html
http://www.bleepingcomputer.com/forums/topic175946.html
http://www.castlecops.com/p1114862-M...nge_Users.html
http://forums.microsoft.com/WindowsO...40244&SiteID=2

Again, in my own case I confirmed that the spam was sent from my computer by analyzing my mail server's SMTP logs ... the connection came from my PC from my IP address and I also confirmed that the message was sent using AUTHENTICATION (we require SMTP AUTH for all sent mail) ... and the auth was not clear text username/password authentication but Digest-MD5.

And the messages do NOT show up in Sent Mail. I don't know how my Outlook has been hooked/trojaned, but it has. Kapersky has still not finished.

[tsimmons]

Holy smokes, I think I have the definitive answer. It DOES seem to be the Outlook IMAP read-receipt issue. After a closer reading of

http://forums.microsoft.com/msdn/sho...&tf=0&pageid=1

here is what I can make of it: Spammers are sending spam using the X-Confirm-Reading-To header. When Outlook sees this message in the Junk Mail folder, it will automatically generate a message prepending "Not read" to the subject line (which all of my spam messages had) and then sends that to the originator of the message, which is really the spammer's target for the spam.

It is a very sophisticated backscatter technique. The common thread is folks using IMAP.

The good news: If you are having this issue, you are PROBABLY not infected with anything malware.

The bad news: The problem is Outlook itself, as it doesn't honor the "ignore read-receipts" setting.

My fix will be the create a filter on our mail server that will reject ANY messages with a subject line that begins with "Not read: "

I wonder if setting up a similar Outlook filter will fix the issue?

[Rich-M]

Thise are nice posts similar to the ones here, including the one from you, but none of them offer a solution or even a good hypothesis. All have scanned and come up empty though I don't see anything but virus scans happening and the odds are this may be spyware if it is anything.

The range of antivirus used are either poor products such as Norton and Avast, or incomplete free online scans so we really don't know if there is a virus or not here either, but again I would be doing in depth scans with Malwarbytes and Sueperantispyware before ruling that out.

Now I clean pc's for a living and have for a lot of years doing this and the very fact this comes and goes, sort of leads me to hang with my original hypotheses until you show me something concrete that is different.

[Rich-M]

Quote:

Originally Posted by tsimmons

Holy smokes, I think I have the definitive answer. It DOES seem to be the Outlook IMAP read-receipt issue. After a closer reading of

http://forums.microsoft.com/msdn/sho...&tf=0&pageid=1

here is what I can make of it: Spammers are sending spam using the X-Confirm-Reading-To header. When Outlook sees this message in the Junk Mail folder, it will automatically generate a message prepending "Not read" to the subject line (which all of my spam messages had) and then sends that to the originator of the message, which is really the spammer's target for the spam.

It is a very sophisticated backscatter technique. The common thread is folks using IMAP.

The good news: If you are having this issue, you are PROBABLY not infected with anything malware.

The bad news: The problem is Outlook itself, as it doesn't honor the "ignore read-receipts" setting.

My fix will be the create a filter on our mail server that will reject ANY messages with a subject line that begins with "Not read: "

I wonder if setting up a similar Outlook filter will fix the issue?

OK great now we have a plausible answer...Surprising it has gone on since January yet.
I I would just read imap online until this ends though funny I do have a Gmail account I seldom use on one pc with Outlook and have never seen the error but I'll just remove the account is all.

[valis]

Quote:

Originally Posted by tsimmons

Sorry, but Rich-M is 100% WRONG. This is real.

I, too, am having this problem (Outlook 2007). I am a network administrator and I'm very careful about what I run/use/install. I run Avast Professional (paid version) fully up to date and am running a fully patched XPSP3 machine.

The read-receipt thread might be related, but http://forums.microsoft.com/WindowsO...40565&SiteID=2 is the EXACT issue (with no solution yet.) I posted my thoughts there, as well. And before someone says "someone is spoofing your e-mail account" know that I run our company's mail server and I checked the SMTP logs and the messages were in fact sent from my laptop at home USING SMTP AUTHENTICATION (Digest-MD5). All my accounts use IMAP and it was sent using my default account, which is NOT Gmail, so I doubt this is Gmail related.

The other thread mentions the Kapersky scanner finding something so I am trying that and will post the results.

sorry, but he's absolutely correct. This is the deal that is happening.

Quote:

Originally Posted by RichM

Your mail is being intercepted somewhere and spoofed, so of course it would have your computer name and email address.

I've seen it a million times, both on and off network, from outlook 2000 up.

He's spot on. Your HJT log that you posted earlier this month doesn't show anything extraordinary (unless your TrendMicro isn't a full A/V, in which case you need to get one), that leaves your email being spoofed. The description of the problem you have fit EXACTLY that scenario. You can go around waving your arms and yelling the sky is falling all you wish, but what has happened is that your email got spoofed.

How? Probably by posting it on the internet somewhere. Check some of your earlier posts. I'm going to remove your email addy so that spambots don't grab it again.

[tsimmons]

valis,

Actually, he's not correct, but neither was I. It is NOT spyware. It is Outlook.

Did you see my second message above? (I thought you might have missed it between postings.) It seems the problem is NOT spyware, but Outlook's behavior itself.

If it receives a message with the X-Confirm-Reading-To header and you delete it without reading it (at least using an IMAP account), Outlook will (regardless of your read-receipt setting) generate a "Not read:" message and send it. No spyware needed. And these messages do NOT show up in your Sent mail, just like normal read-receipts don't show up there.

This is a bug that has been filed with Microsoft for some time (probably since 2007) but, at least according to

http://forums.microsoft.com/msdn/showpost.aspx?siteid=1&postid=4038094&sb=0&d=1&at=7&ft=11&tf=0&pageid=2

there is not a fix yet.

Again, the good news is this is probably NOT an infection or malware.

Thanks for your help, guys.

[valis]

I told you it wasn't an infection or malware, based on the hjt log posted earlier in the month. Obviously I can't speak for certain, as I've not seen a current hjt log, but you've been spoofed. Deal with it.

Call it what you wish, doesn't matter a bit to me. I'm just telling you he's correct. You choose to believe differently, that is not my prerogative. I've been playing this game long enough to realize that if it walks like a duck, talks like a duck, and goes 'quack', chances are low that it's a cow.

[tsimmons]

First, you are correct. It is not infection or malware. :-)

Second, I was working under the assumption that spoofing was defined as sending spam but adding headers that simply said this message was from so-and-so when it really wasn't ... the fact of the matter is that so-and-so would have never been materially involved in the sending of the message.

The thing that makes this case different (at least IMHO) is that I was actually the instrument of transmission (or my computer was). In most spoofing cases, the spoofed person is never actually involved in the sending of the spam.

Thanks again &
Cheers!

(Oh, and moo! :-P)

[valis]

moo back.

ms says it's a design feature. Good luck.

http://www.mail-archive.com/exchange.../msg21847.html

[Moelito]

Quote:

Originally Posted by valis

moo back.

ms says it's a design feature. Good luck.

http://www.mail-archive.com/exchange.../msg21847.html

great..
By the way, about scannning if someone still think it's a virus. I've scanned with Spybot S&D, Malwarebytes Anti-malware, Super anti.. *don't remember it's name anymore*, avira, avast, eset online scanner + several other scanners including rootkit scanners.
Of course it could be a new trojan but my 5 cents on the outlok "feature".
Thunderbird here I come.
//Moelito

[valis]

scanning doesn't necessarily do squat. You need to have a trained expert parse your log to begin with, but if nothing's changed from the last time, your log is okay to go with. MBAM is a good tool, but just like the others, you need to tell it what to do with certain infections.

probably the best *scanner* around is Kaspersky; it's free, it's online, and while it won't fix anything for you, it will at least tell you what you got. Need to use IE, though.

[Moelito]

Quote:

Originally Posted by valis

scanning doesn't necessarily do squat. You need to have a trained expert parse your log to begin with, but if nothing's changed from the last time, your log is okay to go with. MBAM is a good tool, but just like the others, you need to tell it what to do with certain infections.

probably the best *scanner* around is Kaspersky; it's free, it's online, and while it won't fix anything for you, it will at least tell you what you got. Need to use IE, though.

Yes I know, just replying regarding Rich-M's post about to use certain scanners.
I can't be 100% sure of course so I'll be going for a complete reinstall (it was time for that anyway) and I won't be using outlook 2007 any more:-)
Never been infected before and hopefully I wasn't this time either.
//moelito

[Rich-M]

Quote:

Originally Posted by Moelito

Yes I know, just replying regarding Rich-M's post about to use certain scanners.
I can't be 100% sure of course so I'll be going for a complete reinstall (it was time for that anyway) and I won't be using outlook 2007 any more:-)
Never been infected before and hopefully I wasn't this time either.
//moelito

If you want to reinstall then do it, but this plainly is not a virus or spyware....all you have to do is end the Gmail reading by Outlook and read them online for now.
And Valis my friend, while I agree that having an expert read a log is better, I would bet if Malwarebytes and Superantispyware don't find it, then it really isn't there.

[valis]

Quote:

Originally Posted by Rich-M

If you want to reinstall then do it, but this plainly is not a virus or spyware....all you have to do is end the Gmail reading by Outlook and read them online for now.
And Valis my friend, while I agree that having an expert read a log is better, I would bet if Malwarebytes and Superantispyware don't find it, then it really isn't there.

you'd be surprised, my friend.....I've had MBAM return zero hits, and run kaspersky on the same machine and turned up about 50 or so.....that's where the fun stuff lies.