Odd spam - looks as if directly injected via IMAP

Lately, I have been getting odd spam, not many a few every couple of days. What's odd is that these messages seem to be bypassing EXIM and going directly into my inbox. Any idea what could be happening? Here is a complete sample message - headers & all, I did a cat "1398108485.M798601P32163.server.example.com,S=1435,W=1470:2,S" to get this text, so it's everything:

Code:

Return-Path: <sam.jackson@domain.org>
Reply-To: <sam.jackson@domain.org>
From: "sam.jackson" <sam.jackson@domain.org>
To: <sam.jackson@example.net>
Subject: [!! SPAM]  Good day sam.jackson
Date: Thu, 17 Apr 2014 03:53:30 -0500
Message-ID: <16743057840.7868339057@f27.domain.com>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0213_01CF5D6D.E6754FE0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIBAkL7D5ntWpPQn9OKhED6Rz1UVw==
X-OlkEid: 000000007620C495434813499EF33BE633B1F9100700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C101009F6300000000946360344$

This is a multipart message in MIME format.

------=_NextPart_000_0213_01CF5D6D.E6754FE0
Content-Type: text/plain;
        charset="utf-8"
Content-Transfer-Encoding: 7bit

TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. One year after
she returned, Miriam Lahnstein was expecting her second child which lead to
leaving the show once again.

------=_NextPart_000_0213_01CF5D6D.E6754FE0
Content-Type: text/html;
        boundary="--ALT--223d9cb261e6442998";
        charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<HTML><BODY>TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. =
One year after she returned, Miriam Lahnstein was expecting her second =
child which lead to leaving the show once again.</BODY></HTML>
------=_NextPart_000_0213_01CF5D6D.E6754FE0--

 

Glad you had me double check, there were two messages, they came in on the 17th, so the log was zipped up and I didn't see it in my original search.

It did come in on the 17th, it is spam, now for the oddities:
1) I have received at least four copies of each of the two messages
2) When I look at the headers, there are no Mailscanner or Spamassassin headers in any of the four copies

So, the good news is that we must have something misconfigured (&/or a rights issue) on our server, there doesn't seem to be some malware doing this to me. I think I should increase the logging level of mailscanner to see what it tells me since I am not seeing much in exim_mainlog except the delivery of the original two messages.

Any other ideas?

 

exim_main tells me they came in via a traditional route - we filter all email before it hits the cPanel box, so these messages got passed by the spam filter to the mail server - no big deal, it happens.

But, once again today, the exact same messages presented themselves in my inbox. They are not logged in exim_main

Perhaps I should open a ticket. I posted this information here thinking it was broadly applicable and that there would be a ready solution. Now I am thinking it is some isolated fluke that is best handled by cPanel technicians.

Thoughts? I won't have time to open a ticket until later today or perhaps Thursday.

 

Outlook 2013 was the evil-doer. Odd, very odd.