Odd spam - looks as if directly injected via IMAP

[John Schmerold]

Lately, I have been getting odd spam, not many a few every couple of days. What's odd is that these messages seem to be bypassing EXIM and going directly into my inbox. Any idea what could be happening? Here is a complete sample message - headers & all, I did a cat "1398108485.M798601P32163.server.example.com,S=1435,W=1470:2,S" to get this text, so it's everything:

Return-Path: <[email protected]>
Reply-To: <[email protected]>
From: "sam.jackson" <[email protected]>
To: <[email protected]>
Subject: [!! SPAM]  Good day sam.jackson
Date: Thu, 17 Apr 2014 03:53:30 -0500
Message-ID: <[email protected]>
MIME-Version: 1.0
Content-Type: multipart/alternative;
        boundary="----=_NextPart_000_0213_01CF5D6D.E6754FE0"
X-Mailer: Microsoft Outlook 15.0
Thread-Index: AQIBAkL7D5ntWpPQn9OKhED6Rz1UVw==
X-OlkEid: 000000007620C495434813499EF33BE633B1F9100700C3B68E10F77511CEB4CD00AA00BBB6E600000000000C0000D9539C2261A6BB45B9DAB62C7081B3C101009F6300000000946360344$

This is a multipart message in MIME format.

------=_NextPart_000_0213_01CF5D6D.E6754FE0
Content-Type: text/plain;
        charset="utf-8"
Content-Transfer-Encoding: 7bit

TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. One year after
she returned, Miriam Lahnstein was expecting her second child which lead to
leaving the show once again.

------=_NextPart_000_0213_01CF5D6D.E6754FE0
Content-Type: text/html;
        boundary="--ALT--223d9cb261e6442998";
        charset="utf-8"
Content-Transfer-Encoding: quoted-printable

<HTML><BODY>TV is a subsidiary of Reports, Inc. Boyz II Men, ABC, BBD. =
One year after she returned, Miriam Lahnstein was expecting her second =
child which lead to leaving the show once again.</BODY></HTML>
------=_NextPart_000_0213_01CF5D6D.E6754FE0--

 

[vanessa]

Check for this email in /var/log/exim_mainlog and post the relevant log contents, please. If it was sent from your server, it should exist in that log.

 

[John Schmerold]

Glad you had me double check, there were two messages, they came in on the 17th, so the log was zipped up and I didn't see it in my original search.

It did come in on the 17th, it is spam, now for the oddities:
1) I have received at least four copies of each of the two messages
2) When I look at the headers, there are no Mailscanner or Spamassassin headers in any of the four copies

So, the good news is that we must have something misconfigured (&/or a rights issue) on our server, there doesn't seem to be some malware doing this to me. I think I should increase the logging level of mailscanner to see what it tells me since I am not seeing much in exim_mainlog except the delivery of the original two messages.

Any other ideas?

 

[cPanelMichael]

Hello

Were you able to determine any details about the source of the message from /var/log/exim_mainlog? Note that increasing the log level through your MailScanner application might be the best way to determine the source.

Thank you.

 

[John Schmerold]

exim_main tells me they came in via a traditional route - we filter all email before it hits the cPanel box, so these messages got passed by the spam filter to the mail server - no big deal, it happens.

But, once again today, the exact same messages presented themselves in my inbox. They are not logged in exim_main

Perhaps I should open a ticket. I posted this information here thinking it was broadly applicable and that there would be a ready solution. Now I am thinking it is some isolated fluke that is best handled by cPanel technicians.

Thoughts? I won't have time to open a ticket until later today or perhaps Thursday.

 

[cPanelMichael]

You are welcome to submit a support ticket so we can take a closer look. Note that you will need to disable MailScanner before we can troubleshoot the issue as it's a third-party application that will need to be ruled out as the source of the problem. Remember to post the ticket number here so we can update this thread with the outcome.

Thank you.

 

[John Schmerold]

Outlook 2013 was the evil-doer. Odd, very odd.

 

[vanessa]

Outlook 2013 was the evil-doer. Odd, very odd.

You realize...that headers are set by the mail client (aka whatever is sending the email) and are easily fabricated, right?

PHP: mail - Manual

 

[TraderStf]

I am wondering if it is not the "same" problem.

I have several small spams with a small zip that are passing through.
If you verify the zip on virustotal.com, it always contains "old" known virus...

The only thing special is that the email that receives it is just an forwarder, not a real mailboxes.
That forwarder sends the incoming mail to 3 real mailboxes.

Could it be that forward that bypass the scanner?

Thanks,