# Outlook 2007 sending spam



## mintmog

Hi,

Having trouble with my Outlook 2007. On startup it sends around 6 or 7 emails, not from me obviously. I only realised this when i was getting 'undeliverable' mails back.

I've run AVG v.8.0, Spybot, and Bullguard and they have all come out clean.

Can anyone help?

Many thanks


----------



## tlacroix

Same problem, with my two computers (Vista 32bit and Vista 64bit, and Otulook 2007).

Tried Spybot, Norton Anti-Virus, Avast and Bitdefender, and it all comes clean, even in safe mode.

The only workarround I found to prevent the virus from sending spam is to setup a dummy account with a bogus outgoing mail server, and set it as default. The virus apparently only tries to use the default Outlook account to spam.

I would really like to get rid of this malware, but it must be a new virus as there's apparently no way to detect it.

Hopefully some genius here will come up with a magical idea ;-)

Cheers,

T


----------



## iceburglar

Running XP/Office 2007 did a clean install a few weeks back...all windows updates and office updates are current. Windows defender doesn't catch it either. 

Sent spam mail did not show up in outbox nor in the sent mail folder, but it showed the messages being sent on the status bar at the bottom...a day later got undeliverable messages. 

I don't know if this could have anything at all to do with the issue, but i noticed that my windows live messenger had not been logging in normally because it says i'd logged in on another computer. I have since changed this password. 

I've also turned on logging in outlook for the mean time in case this happens again.

-mike d


----------



## AKAJohnDoe

Hmmm...

A post with three different usernames, each with only 1 post, all joined this month, all spreading FUD. 

Seems suspicious to me.


----------



## lunarlander

Give Malwarebytes a try:

http://www.malwarebytes.org/mbam.php


----------



## iceburglar

aka..., your suspicion is unfounded. 

--lunar lander, malwarebytes found nothing.

Malwarebytes' Anti-Malware 1.28
Database version: 1216
Windows 5.1.2600 Service Pack 3
9/27/2008 10:39:35 PM
mbam-log-2008-09-27 (22-39-35).txt
Scan type: Full Scan (C:\|)
Objects scanned: 139064
Time elapsed: 1 hour(s), 4 minute(s), 55 second(s)
Memory Processes Infected: 0
Memory Modules Infected: 0
Registry Keys Infected: 0
Registry Values Infected: 0
Registry Data Items Infected: 0
Folders Infected: 0
Files Infected: 0
Memory Processes Infected:
(No malicious items detected)
Memory Modules Infected:
(No malicious items detected)
Registry Keys Infected:
(No malicious items detected)
Registry Values Infected:
(No malicious items detected)
Registry Data Items Infected:
(No malicious items detected)
Folders Infected:
(No malicious items detected)
Files Infected:
(No malicious items detected)


----------



## AKAJohnDoe

OK.

What do you show under Tools/Trust Center/Add-ins?


----------



## tlacroix

Outlook add-ins in trust center:

-- Active add-ins
None

-- Inactive add-ins
Microsoft Office Groove Proxy for Outlook Add-in (disabled)
IVT BlueSoleil Outlook Add-in (disabled)
Microsoft Office Mobile Service (disabled)
OneNotes Notes about Outlook Items (disabled)
Outlook Change Notifier (disabled)
Windows Search Email Indexer (disabled)

-- Disabled Application add-ins
None



If it's can be of any help, my second computer apparently got infected when I installed a non-work IMAP account on it. The account receives a lot of spam, so I suspect that there might be a buffer overflow or a security breach somewhere in Outlook that got triggered somehow. But that's just me guessing while completely in the dark.

One thing I'm sure, it's that both computer are definitely sending spam. The first clue was the bounces I would receive, but I confirmed this by installing Ethereal on one of the computers.

The spams are easy to identify: The "HELO" sent is the Windows computer name (I tried changing the Windows computer name of one of the two computers and the spam sent HELO command changed as well), and the From is the Outlook default account address. The Outlook logs are useless: they only say that there is N messages to sent (N being between 1 and 15, regardless of the Outbox status), and won't provide any info about where it came from (what process, macro, add-in, or whatever). The spam sent messages won't appear in the outbox or in the sent items.

Hijackthis won't find anything in particular either: no weird running process or anything. 

This is really weird, as it's the first time I catch a virus that is so stealth, so I suspect it has something to do with scripting inside Outlook, but again, just guessing.

Two things I wonder though: where does the virus get the list of email addresses to spam, and where does it get the subject lines and messages (as those seem to change pretty often).

Anyway, feel free to ask for more details.


----------



## iceburglar

Active App Add-ins:
iTunes Outlook Addin
MS Exchange Unified Messaging
MS Office SharePoint Server Colleague Import
MS Outlook Mobile Service
Outlook Exchange Notifier
Windows Search Email Indexer

Inactive Addins:
Google Cal Sync
MS Access Outlook Addin for Data Collection and Pub.
MS VBA for Outlook

Disabled: 
none

I have Gmail running IMAP, so there is not too much spam that gets to outlook.

Currently Downloading wireshark also, but i haven't seen this behavior again since the first occurance. 

-puzzled. this is the first time i've ever had malware related behavior and nothing caught it.

mike d


----------



## Ryoushi

Get a HijackThis log posted. Someone will be able to analyze that for you.


----------



## iceburglar

got another returned spam so i guess another round has gone out yesterday....i decided to make a bogus email account and set it as my default to trap any spam that is getting sent since it seems to be sending from the default account.

NOTHING has caught this yet... here is my hijackthis log

Logfile of Trend Micro HijackThis v2.0.2
Scan saved at 10:02:26 AM, on 10/1/2008
Platform: Windows XP SP3 (WinNT 5.01.2600)
MSIE: Internet Explorer v7.00 (7.00.6000.16705)
Boot mode: Normal
Running processes:
C:\WINDOWS\System32\smss.exe
C:\WINDOWS\system32\winlogon.exe
C:\WINDOWS\system32\services.exe
C:\WINDOWS\system32\lsass.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Input Remapper\InputRemapper.x86.exe
C:\Program Files\Microsoft Windows OneCare Live\Antivirus\MsMpEng.exe
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\spoolsv.exe
C:\Program Files\Input Remapper\InputRemapper.x86.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
C:\WINDOWS\system32\AppleOSSMgr.exe
C:\WINDOWS\system32\AppleTimeSrv.exe
C:\Program Files\Bonjour\mDNSResponder.exe
C:\Program Files\Common Files\Microsoft Shared\VS7DEBUG\mdm.exe
C:\Program Files\Microsoft Windows OneCare Live\OcHealthMon.exe
C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
C:\WINDOWS\system32\STacSV.exe
C:\WINDOWS\system32\svchost.exe
C:\Program Files\Microsoft Windows OneCare Live\Firewall\msfwsvc.exe
C:\Program Files\Microsoft Windows OneCare Live\winss.exe
C:\WINDOWS\system32\SearchIndexer.exe
C:\WINDOWS\Explorer.EXE
C:\WINDOWS\System32\svchost.exe
C:\WINDOWS\system32\IRW.exe
C:\WINDOWS\system32\igfxtray.exe
C:\WINDOWS\system32\hkcmd.exe
C:\WINDOWS\system32\igfxsrvc.exe
C:\WINDOWS\system32\igfxpers.exe
C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe
C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
C:\Program Files\iTunes\iTunesHelper.exe
C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe
C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe
C:\WINDOWS\system32\ctfmon.exe
C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe
C:\Program Files\Messenger\msmsgs.exe
C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
C:\Program Files\Windows Desktop Search\WindowsSearch.exe
C:\Program Files\iPod\bin\iPodService.exe
C:\Program Files\Windows Live\Messenger\usnsvc.exe
C:\Program Files\Skype\Phone\Skype.exe
C:\Program Files\Microsoft Office\Office12\OUTLOOK.EXE
C:\Program Files\Common Files\Microsoft Shared\Windows Live\WLLoginProxy.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Internet Explorer\iexplore.exe
C:\Program Files\Trend Micro\HijackThis\HijackThis.exe
R0 - HKCU\Software\Microsoft\Internet Explorer\Main,Start Page = about:blank
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Page_URL = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Default_Search_URL = http://go.microsoft.com/fwlink/?LinkId=54896
R1 - HKLM\Software\Microsoft\Internet Explorer\Main,Search Page = http://go.microsoft.com/fwlink/?LinkId=54896
R0 - HKLM\Software\Microsoft\Internet Explorer\Main,Start Page = http://go.microsoft.com/fwlink/?LinkId=69157
R1 - HKCU\Software\Microsoft\Windows\CurrentVersion\Internet Settings,ProxyOverride = *.local
O2 - BHO: AcroIEHelperStub - {18DF081C-E8AD-4283-A596-FA578C2EBDC3} - C:\Program Files\Common Files\Adobe\Acrobat\ActiveX\AcroIEHelperShim.dll
O2 - BHO: SSVHelper Class - {761497BB-D6F0-462C-B6EB-D4DAF1D92D43} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O2 - BHO: (no name) - {7E853D72-626A-48EC-A868-BA8D5E23E045} - (no file)
O2 - BHO: Windows Live Sign-in Helper - {9030D464-4C02-4ABF-8ECC-5164760863C6} - C:\Program Files\Common Files\Microsoft Shared\Windows Live\WindowsLiveLogin.dll
O4 - HKLM\..\Run: [IMJPMIG8.1] "C:\WINDOWS\IME\imjp8_1\IMJPMIG.EXE" /Spoil /RemAdvDef /Migration32
O4 - HKLM\..\Run: [PHIME2002ASync] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /SYNC
O4 - HKLM\..\Run: [PHIME2002A] C:\WINDOWS\system32\IME\TINTLGNT\TINTSETP.EXE /IMEName
O4 - HKLM\..\Run: [SigmatelSysTrayApp] sttray.exe
O4 - HKLM\..\Run: [BluetoothAuthenticationAgent] rundll32.exe bthprops.cpl,,BluetoothAuthenticationAgent
O4 - HKLM\..\Run: [IRW] C:\WINDOWS\system32\IRW.exe
O4 - HKLM\..\Run: [IgfxTray] C:\WINDOWS\system32\igfxtray.exe
O4 - HKLM\..\Run: [HotKeysCmds] C:\WINDOWS\system32\hkcmd.exe
O4 - HKLM\..\Run: [Persistence] C:\WINDOWS\system32\igfxpers.exe
O4 - HKLM\..\Run: [RealtimeMonitor] "C:\Program Files\CA\eTrust\Antivirus\realmon.exe"
O4 - HKLM\..\Run: [Adobe Reader Speed Launcher] "C:\Program Files\Adobe\Reader 9.0\Reader\Reader_sl.exe"
O4 - HKLM\..\Run: [SunJavaUpdateSched] "C:\Program Files\Java\jre1.6.0_07\bin\jusched.exe"
O4 - HKLM\..\Run: [QuickTime Task] "C:\Program Files\QuickTime\qttask.exe" -atboottime
O4 - HKLM\..\Run: [AppleSyncNotifier] C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleSyncNotifier.exe
O4 - HKLM\..\Run: [iTunesHelper] "C:\Program Files\iTunes\iTunesHelper.exe"
O4 - HKLM\..\Run: [Windows Defender] "C:\Program Files\Windows Defender\MSASCui.exe" -hide
O4 - HKLM\..\Run: [TMRUBottedTray] "C:\Program Files\Trend Micro\RUBotted\TMRUBottedTray.exe"
O4 - HKLM\..\Run: [OneCareUI] "C:\Program Files\Microsoft Windows OneCare Live\winssnotify.exe"
O4 - HKCU\..\Run: [ctfmon.exe] C:\WINDOWS\system32\ctfmon.exe
O4 - HKCU\..\Run: [MsnMsgr] "C:\Program Files\Windows Live\Messenger\MsnMsgr.Exe" /background
O4 - HKCU\..\Run: [MSMSGS] "C:\Program Files\Messenger\msmsgs.exe" /background
O4 - Startup: Adobe Gamma.lnk = C:\Program Files\Common Files\Adobe\Calibration\Adobe Gamma Loader.exe
O4 - Global Startup: Google Calendar Sync.lnk = C:\Program Files\Google\Google Calendar Sync\GoogleCalendarSync.exe
O4 - Global Startup: Windows Search.lnk = C:\Program Files\Windows Desktop Search\WindowsSearch.exe
O8 - Extra context menu item: E&xport to Microsoft Excel - res://C:\PROGRA~1\MICROS~2\Office12\EXCEL.EXE/3000
O9 - Extra button: (no name) - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra 'Tools' menuitem: Sun Java Console - {08B0E5C0-4FCB-11CF-AAA5-00401C608501} - C:\Program Files\Java\jre1.6.0_07\bin\ssv.dll
O9 - Extra button: (no name) - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra 'Tools' menuitem: Uninstall BitDefender Online Scanner v8 - {85d1f590-48f4-11d9-9669-0800200c9a66} - C:\WINDOWS\bdoscandel.exe
O9 - Extra button: Research - {92780B25-18CC-41C8-B9BE-3C9C571A8263} - C:\PROGRA~1\MICROS~2\Office12\REFIEBAR.DLL
O9 - Extra button: (no name) - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra 'Tools' menuitem: @xpsp3res.dll,-20001 - {e2e2dd38-d088-4134-82b7-f2ba38496583} - C:\WINDOWS\Network Diagnostic\xpnetdiag.exe
O9 - Extra button: Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O9 - Extra 'Tools' menuitem: Windows Messenger - {FB5F1910-F110-11d2-BB9E-00C04F795683} - C:\Program Files\Messenger\msmsgs.exe
O16 - DPF: {5D86DDB5-BDF9-441B-9E9E-D4730F4EE499} (BDSCANONLINE Control) - http://download.bitdefender.com/resources/scan8/oscan8.cab
O16 - DPF: {8AD9C840-044E-11D1-B3E9-00805F499D93} (Java Runtime Environment 1.6.0) - http://dl8-cdn-01.sun.com/s/ESD44/J...04/&filename=jinstall-6u7-windows-i586-jc.cab
O16 - DPF: {D27CDB6E-AE6D-11CF-96B8-444553540000} (Shockwave Flash Object) - http://fpdownload2.macromedia.com/get/shockwave/cabs/flash/swflash.cab
O18 - Protocol: intu-help-qb1 - {9B0F96C7-2E4B-433E-ABF3-043BA1B54AE3} - C:\Program Files\Intuit\QuickBooks 2008\HelpAsyncPluggableProtocol.dll
O18 - Protocol: qbwc - {FC598A64-626C-4447-85B8-53150405FD57} - mscoree.dll (file missing)
O23 - Service: Adobe LM Service - Adobe Systems - C:\Program Files\Common Files\Adobe Systems Shared\Service\Adobelmsvc.exe
O23 - Service: Apple Mobile Device - Apple Inc. - C:\Program Files\Common Files\Apple\Mobile Device Support\bin\AppleMobileDeviceService.exe
O23 - Service: Apple OS Switch Manager (AppleOSSMgr) - Unknown owner - C:\WINDOWS\system32\AppleOSSMgr.exe
O23 - Service: Apple Time Service (AppleTimeSrv) - Apple Inc. - C:\WINDOWS\system32\AppleTimeSrv.exe
O23 - Service: Bonjour Service - Apple Inc. - C:\Program Files\Bonjour\mDNSResponder.exe
O23 - Service: InoculateIT RPC Server (InoRPC) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRpc.exe
O23 - Service: InoculateIT Realtime Server (InoRT) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoRT.exe
O23 - Service: InoculateIT Job Server (InoTask) - Computer Associates International, Inc. - C:\Program Files\CA\eTrust\Antivirus\InoTask.exe
O23 - Service: Input Remapper (InputRemapper) - Erik Olofsson - C:/Program Files/Input Remapper/InputRemapper.x86.exe
O23 - Service: iPod Service - Apple Inc. - C:\Program Files\iPod\bin\iPodService.exe
O23 - Service: ProtexisLicensing - Unknown owner - C:\Program Files\Common Files\Protexis\License Service\PSIService.exe
O23 - Service: QBCFMonitorService - Intuit - C:\Program Files\Common Files\Intuit\QuickBooks\QBCFMonitorService.exe
O23 - Service: Intuit QuickBooks FCS (QBFCService) - Intuit Inc. - C:\Program Files\Common Files\Intuit\QuickBooks\FCS\Intuit.QuickBooks.FCS.exe
O23 - Service: Trend Micro RUBotted Service (RUBotted) - Trend Micro Inc. - C:\Program Files\Trend Micro\RUBotted\TMRUBotted.exe
O23 - Service: SigmaTel Audio Service (STacSV) - SigmaTel, Inc. - C:\WINDOWS\system32\STacSV.exe


----------



## iceburglar

no replies yet...but it just sent 6 more right now...even with the bogus default account that i setup. i'm done with outlook 2007 officially now. back to mozilla i guess.


i really hope someone figures this out. this is ultimately frustrating.

-mike d


----------



## AKAJohnDoe

I am certainly not a hijack expert, but do see a number of things unfamiliar to me in your listing. Perhaps someone with greater expertise will chime in.


----------



## abloke

I'm not the expert, maybe Ted or somebody with venom can reply, just realized I had a day of full page non deliverable messages, related to
hijacking, but will log in tomorrow to check! Is it cloak n dagger ISP related?


----------



## lunarlander

Try ALL of the online scanners listed in the forum sticky "Security Help Tools". It takes time, but the more opinions from different scanners, the better.


----------



## stopsucking

Having the exact same issue here. Just started today (10/16) Opened Outlook and within minutes started seeing tons of failed delivery messages. I primarily use a web interface so no huge loss not using Outlook. Still very curious about what this could be.


----------



## AKAJohnDoe

I would hazard a guess that the failed delivery messages did not originate from the client on your PC, but rather from either another client elsewhere (compromised password) or from a server (compromised SMTP server).


----------



## stopsucking

Right...bounced messages started showing up from the servers my email was sending emails to. Very strange little Outlook issue...


----------



## AKAJohnDoe

Believe what you will


----------



## stopsucking

AkaJohnDoe...I guess I'm not catching your drift. Believe what? I know exactly what is happening here. Outlook 2007 has some sort of malware/virus attached to it. When I open the program, it immediately starts sending emails out. I checked and it was more than 50 in under 30 seconds. Those emails sent to bogus addresses were of course bounced back to me with error messages. I am aware that the failed messages did not originate from my PC.


----------



## AKAJohnDoe

I would probably uninstall and reinstall Outlook, if not a fresh install of the OS if I could not locate anything via a run of SAS or MBAM.


----------



## Rich-M

If your Outlook was sending these, then they would show in your "Sent" folder. Do they?
Of course not, so what you are receiving is return notices because they are sent from somewhere else but mimic your email address and the problem is not with Outlook, but instead your email server. My guess is they are between spam programs, just started a new one, or changed what they do and need to be notified of your issues. 

It could also be the servers being sent to have changed their spamware also and are rejecting more than usual.


----------



## AKAJohnDoe

Thanks, Rich. Well said.


----------



## AKAJohnDoe

Anyone can of course do this just by setting your email address in the REPLY-TO as well.


----------



## iceburglar

Rich-M...i've had this problem for a month or so...have since just stopped using outlook altogether....

Your assumption in your last post is absolutely not true...

The headers in the returned mail show MY COMPUTER NAME!

here is an example.

Received: from supernova (24-155-12-71.dyn.grandenetworks.net [24.155.12.71])
by mx2.lsn.net (8.13.5/8.13.5) with ESMTP id m8PE9Akh002765
for <SoonKyoo-aantureni>; Thu, 25 Sep 2008 09:09:15 -0500

My laptop is named supernova. and this email is getting sent from MY COMPUTER!

as well OUTLOOK SHOWS MAIL BEING SENT IN THE STATUS BAR AT THE BOTTOM WHILE IT IS SENDING THE SPAM...

but the SENT SPAM DOESN'T SHOW UP IN SENT MAIL FOLDER.

-sorry for the all caps...but these are essential points.

-mike d


----------



## Rich-M

Real sorry but Outlook cannot send email, only you can.
Sent email shows up in the "Sent" folder unless you change that setting, spam or any other.
Your mail is being intercepted somewhere and spoofed, so of course it would have your computer name and email address. Now a virus in your system utilizing Outlook or any other email program could also send mail.


----------



## Hirnsausen

All I know, the Windows OS works with so-called "Script Languages". Microsoft Office programs use those scripts (called macros), and also Microsoft Outlook. Meant as a helpful feature for those who can program in those script languages, they are also opening door and gate for bad usage. One infected macro-containing Office document or e-mail, and your Windows OS could receive new commands which it will accept and execute.

I am suspecting that is, what may have happened in your case.

Now, the problem is really how to locate and erase those bad scripts? I am not sure. Since they're no viruses but written in the Windows-internal script language, they are not easily detectable. I wonder, if someone knows where the Windows OSs host all scripts. There I would search. But even so, maybe they were multiplied, and renew each other when being deleted at one location.

Well, if nothing helps, consider to remove all macros from any of your documents and e-mails, then backup all your own files on some DVDs or memory sticks (jump drives), ensure to have all installation files at hand (OS and software) and the related installation serials, and format your hard drive completely and re-install a clean copy of Windows and the software you need. Then put back your cleaned, checked and macro-removed user files.

Drastical step, but in some helpless situations the only thing that surely helps. IF you cleaned all your user files and e-mails before.

Also make sure that your e-mail client does NOT open (preview) e-mails automatically when clicking one e-mail. Some virus-infected e-mails can this way activate the scripts within and infect (or re-infect) your system that way. And try to avoid macro-containing documents in the future.

Do that formatting only, if all other methods failed, and ask experienced friends for their opinion before. And sorry that I could not assist with better advices.


----------



## AKAJohnDoe

You can easily disable scripting and all add-ons in Outlook. 

Still, if there's nothing in the SENT folder, the emails are not originating locally.


----------



## zachlutz

Just freaked out after having the same thing happen to me. This is the only forum I can find that's tracking it. Everything has already been said, but I'll summarize my experiences. I use Gmail and access it online and through IMAP with Outlook 2007.

- Inbox becomes flooded with undeliverable receipts
- Check sent mail folder on my Gmail server, sure enough, these messages are listed
- Freak. Update AVG and Windows Defender, run full scans, nothing found
- Run MSConfig, browse start-up and services tabs, investigate odd ones, everything seems legit

- I currently have Outlook set to only store sent messages locally, as anything passing through Gmail's SMTP server is automatically added to my Sent Items. There's no trace of these messages in Outlook's local folder.
- Still very suspicious that my computer's name is included in these sent mails, but until somebody corrects Rich-M, I'm willing to accept that this is to be expected

- I've since changed my password and will only be accessing my Email through Gmail's web interface for the next week or so, to see whether these symptoms repeat without using Outlook.
- I'll continue to monitor the forum and post any new revelations along the way.


----------



## mx66

The exact same thing as zachlutz describes (post before mine) happened to me last night. It's zachlutz description to a T.

I ran virus scans, ad-aware, analyzed the running processes and msconfig.
Updated all virus scan software and ran again...nothing.

Sounds like a new virus that's infected outlook. I'm going to try disabling all add-ins and scripts in Outlook.

Tip: Start outlook with your internet connection DISABLED, you won't send any email then.


----------



## AKAJohnDoe

Re-read the 4th post in this thread.


----------



## AKAJohnDoe

zachlutz said:


> I use Gmail and access it online and through IMAP with Outlook 2007


Change your gMail account password


----------



## Weembles

I ran into this problem today, actually and I came across a thread about it on the MSDN forum:

http://forums.microsoft.com/msdn/sh...tid=4038094&sb=0&d=1&at=7&ft=11&tf=0&pageid=0

The best explanation there seems to be that Outlook is sending out read receipts to spam addresses automatically. The receipts don't show in our outboxes, but we do see the undeliverable notices when they bounce off their (fake) recipients.


----------



## AKAJohnDoe

Actually, that could be a plausible scenario. Especially with IMAP.

You might also try setting your junk filters to only Safe List Only and include your Contacts in the Safe List and turn off all scripting and images.


----------



## Hirnsausen

But the virus or malware script might send the bad e-mails, as soon as Outlook can access the Internet again.

So, consider my step of formatting the hard drive and installing everything new, in a virgin state. Might be the best. See details above (my previous posting).


----------



## Zorro815

I have experienced this same issue. Pretty much just as zachlutz described it. I have not noticed it prior to tonight. My first hint that something was odd was when I opened Outlook and saw that it was sending 9 emails. Then I got several bounce backs. I am using Outlook 2007 with a Gmail IMAP account. I do not have sent messages in my Outlook Sent Items but I do in Gmail's sent folder. The fact that Outlook displayed that it was sending emails (emails that I did not expect) at the same time this issue began is a bit too coincidental for me to dismiss.


----------



## LamaZ

I just started seeing this one. I echo everybody so far. I'm running scans for virus and spyware with: Windows Defender, Comodo, Avira.

I just pray that somebody cracks this one. Why go through all the effort of reformatting until somebody figures out how we got infected (and with what).

I'm particularly impressed with this one because, given my low trust in Winblows, I don't even run my own account with admin privileges. Therefore, if anything REALLY needs to install, I have to type in the admin password just like in a Mac/Linux.

I look forward to somebody figuring this one out.

Don't know if the admins on this site are going to nix me for this, but the ONLY other reference that I've been able to find for this problem so far is at this site:
http://www.techsupportforum.com/sec...is-log-help/193514-outlook-2007-hijacked.html

As of today and now, there has been no solution posted there or here.

Regards,

LamaZ


----------



## Moelito

Have exactly the same issue at one of my home computers (the only one running windows). I removed all my email-accounts and then uninstalled office 2007 as a temporary solution.

Will keep an eye at this thread and hope for a solution.

Regards
Moe


----------



## popovic.sasa

Hello everyone,

Yesterday (23.10.2008) it happened to me also. I got a few "Delivery Status Notification (Failure)" E-mails, found no messages in "Sent" folder in Outlook 2007 but found all of them in "Sent" section when on gmail.com (web mail).

I'll add that I use IMAP in Outlook 2007 for my gmail account.

If anyone finds what is really causing this issue please post the solution here.

Regards,
Sasa


----------



## Moelito

Forgot to mention that I use WinXP. Anyone with Vista that has this problem?
Wonder if UAC prevent this malware.
Regards
Moe


----------



## popovic.sasa

I use Windows Vista Home Premium. UAC is turned on but it didn't help. I also have all the latest security updates for Windows, Office, etc.


----------



## The Ninja Pirate

Same issue here!

Outlook 2007 on Vista, fully patched and updated and running Firewall, Antispy and Antivirus behind a hardware Firewall.

This morning I suddenly saw 17 messages being sent in Outlook. I thought these might be old messages that hadn't sent but then the bouncebacks start, with my computer name in the automated reply field.

The commonality here seems to be using Outlook to access a gmail account (I use IMAP).

I haven't been able to spot the emails in any of my sent folders but like the other posters these emails CLEARLY seem to be originating from Outlook, i.e. they are not the standard spoofed emails I receive from time to time.

I suspect whether you see the sent messages depends on whether gmail is your primary account or secondary account (it is my secondary account).

I was up to forty bounced messages before I pulled the plug. I am going to restart now and delete my gmail account and see what happens.

This definitely seems to be a problem in Outlook, not simply a spoofed account.

EDIT: Deleting the gmail account in Outlook *seems* to have stopped the problem. Also, I noticed that in the returned emails the message ID looks a little odd - it is a long string of random letters/numbers separated by $ symbols followed by @[email protected]? Don't normally check things like this but is that normal?


----------



## Moelito

I'm not sure if I'm right but after reading the forum thread at microsoft it seems that this issue isn't any malware. 
(http://forums.microsoft.com/msdn/sh...tid=4038094&sb=0&d=1&at=7&ft=11&tf=0&pageid=0)
Just as Weembles mentioned above, it's a bug in outlook with read-receipts that force outlook to use the "X-Confirm-Reading-To" line in received spam mails. It doesn't help to deactivate the receipts in outlook settings.
Please correct me if I'm wrong.

Thank you very much microsoft. My bought domain name and it's corresponding mail addresses is now known by several spammers!

Regards
Moelito


----------



## The Ninja Pirate

Seems strange that it just started happening in the last 48 hours for many of us posting though?

Unless gmail have changed a setting?

Also, a quick scan through didn't show that I had received over 40 emails labelled as spam by gmail between last night when I turned my laptop off and this morning when I turned it back on again? Yet I got about 40 message undeliverables this morning?


----------



## tsimmons

*Sorry, but Rich-M is 100% WRONG. This is real.*

I, too, am having this problem (Outlook 2007). I am a network administrator and I'm very careful about what I run/use/install. I run Avast Professional (paid version) fully up to date and am running a fully patched XPSP3 machine.

The read-receipt thread might be related, but http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=3840565&SiteID=2 is the EXACT issue (with no solution yet.) I posted my thoughts there, as well. And before someone says "someone is spoofing your e-mail account" know that I run our company's mail server and I checked the SMTP logs and the messages were in fact sent from my laptop at home USING SMTP AUTHENTICATION (Digest-MD5). All my accounts use IMAP and it was sent using my default account, which is NOT Gmail, so I doubt this is Gmail related.

The other thread mentions the Kapersky scanner finding something so I am trying that and will post the results.


----------



## Rich-M

tsimmons said:


> *Sorry, but Rich-M is 100% WRONG. This is real.*
> 
> I, too, am having this problem (Outlook 2007). I am a network administrator and I'm very careful about what I run/use/install. I run Avast Professional (paid version) fully up to date and am running a fully patched XPSP3 machine.
> 
> The read-receipt thread might be related, but http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=3840565&SiteID=2 is the EXACT issue (with no solution yet.) I posted my thoughts there, as well. And before someone says "someone is spoofing your e-mail account" know that I run our company's mail server and I checked the SMTP logs and the messages were in fact sent from my laptop at home USING SMTP AUTHENTICATION (Digest-MD5). All my accounts use IMAP and it was sent using my default account, which is NOT Gmail, so I doubt this is Gmail related.
> 
> The other thread mentions the Kapersky scanner finding something so I am trying that and will post the results.


If this were true they would be in the "Sent" box. And if this was a flaw in Outlook 2007, tthen I would see it in one of my 5 email accounts (including Gmail) my Outlook 2007 handles handles. My guess is that someone has altered the anti spam software their isp sites is using or updated it and this will calm down after a few days. I see it on my own server when we do that.


----------



## tsimmons

Sorry to be contrarian, but I think you are wrong. I've been researching this for several hours (I do this for a living) and I've found a handful of identical (and technically competant) reports of this.

http://www.bleepingcomputer.com/forums/topic173074.html
http://www.bleepingcomputer.com/forums/topic175946.html
http://www.castlecops.com/p1114862-My_Outlook_2003_is_sending_Spam_to_other_exchange_Users.html
http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=3840244&SiteID=2

Again, in my own case I confirmed that the spam _was_ sent from my computer by analyzing my mail server's SMTP logs ... the connection came from my PC from my IP address and I also confirmed that the message was sent using AUTHENTICATION (we require SMTP AUTH for all sent mail) ... and the auth was not clear text username/password authentication but Digest-MD5.

And the messages do NOT show up in Sent Mail. I don't know how my Outlook has been hooked/trojaned, but it has. Kapersky has still not finished.


----------



## tsimmons

Holy smokes, I think I have the definitive answer. It DOES seem to be the Outlook IMAP read-receipt issue. After a closer reading of

http://forums.microsoft.com/msdn/sh...tid=4038094&sb=0&d=1&at=7&ft=11&tf=0&pageid=1

here is what I can make of it: Spammers are sending spam using the X-Confirm-Reading-To header. When Outlook sees this message in the Junk Mail folder, it will automatically generate a message prepending "Not read" to the subject line (which all of my spam messages had) and then sends that to the originator of the message, which is really the spammer's target for the spam.

It is a very sophisticated backscatter technique. The common thread is folks using IMAP.

The good news: If you are having this issue, you are PROBABLY not infected with anything malware.

The bad news: The problem is Outlook itself, as it doesn't honor the "ignore read-receipts" setting.

My fix will be the create a filter on our mail server that will reject ANY messages with a subject line that begins with "Not read: "

I wonder if setting up a similar Outlook filter will fix the issue?


----------



## Rich-M

Thise are nice posts similar to the ones here, including the one from you, but none of them offer a solution or even a good hypothesis. All have scanned and come up empty though I don't see anything but virus scans happening and the odds are this may be spyware if it is anything.

The range of antivirus used are either poor products such as Norton and Avast, or incomplete free online scans so we really don't know if there is a virus or not here either, but again I would be doing in depth scans with Malwarbytes and Sueperantispyware before ruling that out.

Now I clean pc's for a living and have for a lot of years doing this and the very fact this comes and goes, sort of leads me to hang with my original hypotheses until you show me something concrete that is different.


----------



## Rich-M

tsimmons said:


> Holy smokes, I think I have the definitive answer. It DOES seem to be the Outlook IMAP read-receipt issue. After a closer reading of
> 
> http://forums.microsoft.com/msdn/sh...tid=4038094&sb=0&d=1&at=7&ft=11&tf=0&pageid=1
> 
> here is what I can make of it: Spammers are sending spam using the X-Confirm-Reading-To header. When Outlook sees this message in the Junk Mail folder, it will automatically generate a message prepending "Not read" to the subject line (which all of my spam messages had) and then sends that to the originator of the message, which is really the spammer's target for the spam.
> 
> It is a very sophisticated backscatter technique. The common thread is folks using IMAP.
> 
> The good news: If you are having this issue, you are PROBABLY not infected with anything malware.
> 
> The bad news: The problem is Outlook itself, as it doesn't honor the "ignore read-receipts" setting.
> 
> My fix will be the create a filter on our mail server that will reject ANY messages with a subject line that begins with "Not read: "
> 
> I wonder if setting up a similar Outlook filter will fix the issue?


OK great now we have a plausible answer...Surprising it has gone on since January yet.
I I would just read imap online until this ends though funny I do have a Gmail account I seldom use on one pc with Outlook and have never seen the error but I'll just remove the account is all.


----------



## valis

tsimmons said:


> *Sorry, but Rich-M is 100% WRONG. This is real.*
> 
> I, too, am having this problem (Outlook 2007). I am a network administrator and I'm very careful about what I run/use/install. I run Avast Professional (paid version) fully up to date and am running a fully patched XPSP3 machine.
> 
> The read-receipt thread might be related, but http://forums.microsoft.com/WindowsOneCare/ShowPost.aspx?PostID=3840565&SiteID=2 is the EXACT issue (with no solution yet.) I posted my thoughts there, as well. And before someone says "someone is spoofing your e-mail account" know that I run our company's mail server and I checked the SMTP logs and the messages were in fact sent from my laptop at home USING SMTP AUTHENTICATION (Digest-MD5). All my accounts use IMAP and it was sent using my default account, which is NOT Gmail, so I doubt this is Gmail related.
> 
> The other thread mentions the Kapersky scanner finding something so I am trying that and will post the results.


sorry, but he's absolutely correct. This is the deal that is happening.



RichM said:


> Your mail is being intercepted somewhere and spoofed, so of course it would have your computer name and email address.


I've seen it a million times, both on and off network, from outlook 2000 up.

He's spot on. Your HJT log that you posted earlier this month doesn't show anything extraordinary (unless your TrendMicro isn't a full A/V, in which case you need to get one), that leaves your email being spoofed. The description of the problem you have fit EXACTLY that scenario. You can go around waving your arms and yelling the sky is falling all you wish, but what has happened is that your email got spoofed.

How? Probably by posting it on the internet somewhere. Check some of your earlier posts. I'm going to remove your email addy so that spambots don't grab it again.


----------



## tsimmons

valis,

Actually, he's not correct, but neither was I. It is NOT spyware. It is Outlook.

Did you see my second message above? (I thought you might have missed it between postings.) It seems the problem is NOT spyware, but Outlook's behavior itself.

If it receives a message with the *X-Confirm-Reading-To* header and you delete it without reading it (at least using an IMAP account), Outlook will (regardless of your read-receipt setting) generate a "Not read:" message and send it. No spyware needed. And these messages do NOT show up in your Sent mail, just like normal read-receipts don't show up there.

This is a bug that has been filed with Microsoft for some time (probably since 2007) but, at least according to

http://forums.microsoft.com/msdn/showpost.aspx?siteid=1&postid=4038094&sb=0&d=1&at=7&ft=11&tf=0&pageid=2

there is not a fix yet.

Again, the good news is this is probably _NOT an infection or malware._

Thanks for your help, guys.


----------



## valis

I told you it wasn't an infection or malware, based on the hjt log posted earlier in the month. Obviously I can't speak for certain, as I've not seen a current hjt log, but you've been spoofed. Deal with it.

Call it what you wish, doesn't matter a bit to me. I'm just telling you he's correct. You choose to believe differently, that is not my prerogative. I've been playing this game long enough to realize that if it walks like a duck, talks like a duck, and goes 'quack', chances are low that it's a cow.


----------



## tsimmons

First, you are correct. It is not infection or malware. 

Second, I was working under the assumption that _spoofing_ was defined as sending spam but adding headers that simply said this message was from so-and-so when it really wasn't ... the fact of the matter is that so-and-so would have never been _materially involved_ in the sending of the message.

The thing that makes this case different (at least IMHO) is that I was actually the _instrument of transmission (or my computer was)_. In most spoofing cases, the spoofed person is never actually involved in the sending of the spam.

Thanks again &
Cheers!

(Oh, and moo! )


----------



## valis

moo back. 

ms says it's a design feature. Good luck. 

http://www.mail-archive.com/[email protected]/msg21847.html


----------



## Moelito

valis said:


> moo back.
> 
> ms says it's a design feature. Good luck.
> 
> http://www.mail-archive.com/[email protected]/msg21847.html


great.. 
By the way, about scannning if someone still think it's a virus. I've scanned with Spybot S&D, Malwarebytes Anti-malware, Super anti.. *don't remember it's name anymore*, avira, avast, eset online scanner + several other scanners including rootkit scanners. 
Of course it could be a new trojan but my 5 cents on the outlok "feature".
Thunderbird here I come.
//Moelito


----------



## valis

scanning doesn't necessarily do squat. You need to have a trained expert parse your log to begin with, but if nothing's changed from the last time, your log is okay to go with. MBAM is a good tool, but just like the others, you need to tell it what to do with certain infections.

probably the best *scanner* around is Kaspersky; it's free, it's online, and while it won't fix anything for you, it will at least tell you what you got. Need to use IE, though.


----------



## Moelito

valis said:


> scanning doesn't necessarily do squat. You need to have a trained expert parse your log to begin with, but if nothing's changed from the last time, your log is okay to go with. MBAM is a good tool, but just like the others, you need to tell it what to do with certain infections.
> 
> probably the best *scanner* around is Kaspersky; it's free, it's online, and while it won't fix anything for you, it will at least tell you what you got. Need to use IE, though.


Yes I know, just replying regarding Rich-M's post about to use certain scanners. 
I can't be 100% sure of course so I'll be going for a complete reinstall (it was time for that anyway) and I won't be using outlook 2007 any more
Never been infected before and hopefully I wasn't this time either.
//moelito


----------



## Rich-M

Moelito said:


> Yes I know, just replying regarding Rich-M's post about to use certain scanners.
> I can't be 100% sure of course so I'll be going for a complete reinstall (it was time for that anyway) and I won't be using outlook 2007 any more
> Never been infected before and hopefully I wasn't this time either.
> //moelito


If you want to reinstall then do it, but this plainly is not a virus or spyware....all you have to do is end the Gmail reading by Outlook and read them online for now.
And Valis my friend, while I agree that having an expert read a log is better, I would bet if Malwarebytes and Superantispyware don't find it, then it really isn't there.


----------



## valis

Rich-M said:


> If you want to reinstall then do it, but this plainly is not a virus or spyware....all you have to do is end the Gmail reading by Outlook and read them online for now.
> And Valis my friend, while I agree that having an expert read a log is better, I would bet if Malwarebytes and Superantispyware don't find it, then it really isn't there.


you'd be surprised, my friend.....I've had MBAM return zero hits, and run kaspersky on the same machine and turned up about 50 or so.....that's where the fun stuff lies.


----------



## The Ninja Pirate

Was thinking about this last night and came to the same conclusion as tsimmons - it seems to be a 'new' way (to me) of transmitting spam. 

Someone hits me with spam with the x-confirm-reading-to header filled in and then that spam appears to originate from me when I use Outlook to view that account. Effectively turns my account into a spambot for every piece of spam sent to that account with that header filled in.

Guess gmail looks common since they are either getting those addresses online somewhere or just spamming random [email protected] combos. Boo.

Glad I have no infection PO'd that I lost yesterday morning confirming that.


----------



## Rich-M

valis said:


> you'd be surprised, my friend.....I've had MBAM return zero hits, and run kaspersky on the same machine and turned up about 50 or so.....that's where the fun stuff lies.


Quite true and I have run Mbam, found nothing and then run Sas and found tons also...that's why we really cannot rely on one product, especially when we know the user has "0" safety skills ( I don't mean this user in this thread though).


----------



## LamaZ

Well, mystery solved then. I went into my junk mail via web mail and deleted everything in there. Added a filter for all of the addresses spamming me and brought Outlook back online.
I know this is just a temporary fix, because the next waive of spam will do it all over again until Microsoft ever fixes this "Feature".

LamaZ


----------



## dockman3

I've been having this same issue, and after reading all of the posts, I went ahead and unsubscribed from the Gmail/Spam folder and Gmail/All mail folder in my IMAP folders account setting. This seems to have fixed the problem since Outlook no longer has any way to receive spam that Gmail catches. Since Gmail catches the vast majority of spam I receive, this should be a relatively permanant fix until MS fixes it for good.


----------



## tommyk_mn

I am having the exact same issue.

I am trying to unsubscribe from Gmail's spam and allmail folders. We will see if the emails stop from my outlook!


----------



## helmetheadcycle

It seems that all of us are using GMail with IMAP sync and Outlook.

I've created a filter in Gmail, by going to Settings -> Filters -> Create a new filter -> Subject: Not Read -> Delete It (checkbox)... Create Filter

You should then be set. This bug has plagued me since I first saw it, thinking we were hijacked...

Thanks to everyone in this thread for the information culminating to this hopeful fix!

And to anyone who happens to ride...you know where to go!


----------



## IbnTech

Hi all,

Just wanted to join the legions of people this is happening to.

Someone was asking why the sent mail is not being saved in outlook. It actually is. It is being saved in the gmail sentmail folder and not outlook's. 

So far symptoms and analysis is in full agreement with the "x-confirm-reading-to header" hypothesis. 

Can someone please tell me how I can disable (or unsubscribe) to the all/junk folder in gmail from outlook?


----------



## brianstuckey

I found this forum while researching the problem described here. I don't have the problematic computer with me...but but I have an idea. What about unsubscribing from the spam IMAP folder in Gmail?

Click on the Email account the the Mail Folders view. 
Right click on the top level > click on IMAP Folders
Click on Query
Select the spam folder and click unsubscribe

I will post the results once I can try this out in person...

EDIT: it looks like IbnTech and I were thinking along the same lines


----------



## AKAJohnDoe

Am I allowed to post to this thread with more than one post?


----------



## valis

apparently. I've done it a few times. 

we'll leave it open for a bit and let them haggle it out. Who knows, something may turn up.

thanks, akajd......


----------



## AKAJohnDoe

It's cool. Just wondering why folks with more that one post are not having this problem.


----------



## valis

Probably the usual reasons.


----------

