Spam added to legitimate emails ?

[kpav]

I am receiving spam emails from the following address:

corcoran [xxxxxxx@compusenior.com]

Addressed to: Columbus Visnic (xxxxxx@runbox.com)

advertising drugs. The unsettling part is that attached to the bottom of this spam are emails from legitimate individuals to me. And, to make matters worse, I am not receiving those emails separately; only as an addition to the spam.

How can this be happening? It would appear that Runbox security has been seriously compromised.

Anyone else seeing this?

[carverrn]

I haven't noticed this on any of my messages yet.

Was there more than one?

Where they flagged as spam?

Between the spam text and the message text do you see messages headers or does the message text just immediately start?

Regards,
Rich

[jbs]

Have you ruled out an April Fool's joke?

Assuming it's not that, is this coming from multiple different individuals, at different mail services? If it's just from one, I'd inquire with them to see if they are having any problems.

NEver having heard of this, my immediate thought is that it sounds like a virus on the sender's end which is binding itself to all outbound messages.

If it's coming from many sources, though, then I would look at either your mail client or at Runbox.

Strange, though. Do you see it as well when you use the web interface, or is it with IMAP/POP?

Finally, is it EVERY message you receive or only certain ones . . .

[kpav]

Carverrn:

There were seven emails, all from the same "sender".

The message were delivered in Outlook. How can I determine if they were "flagged as Spam"?

Header info appears before text.

jbs:

The legitimate emails originated from multiple sources.

I just started seeing this and I almost always get my email via Outlook.

[carverrn]

Take a look at the headers of the message to see if there are headers that say "X-Spam-Status" or "X-DSPAM-Result".

When you say the same sender do you mean "corcoran [ xxxxxxx @ compu senior.com ]"?

Were the "real" message portions from the same person?

Regards,
Rich

[carverrn]

Quote:

Originally posted by jbs
NEver having heard of this, my immediate thought is that it sounds like a virus on the sender's end which is binding itself to all outbound messages.

One of my thoughts too.

Rich

[jbs]

Quote:

Originally posted by kpav
Carverrn:

There were seven emails, all from the same "sender".

The message were delivered in Outlook. How can I determine if they were "flagged as Spam"?

Header info appears before text.

jbs:

The legitimate emails originated from multiple sources.

I just started seeing this and I almost always get my email via Outlook.

Were the "legitimate" emails addressed to you? Or were they people you know, but written to the "sender" who sent you the seven messages.

If the messages were to you (and only to you, like the "sender" would not have had them on his/her computer) then it would seem like something funky on your end.

If the attached messages are to the "sender" or ones you were both copied on, and all seven of these spam came from the "sender" then I'd strongly suspect something on the sender's computer.

From your first post it sounds as though the legit emails are directed to you, and that youv've not seen them elsewhere, so I would lean toward a virus infection in Outlook . . . but still too early to tell.

If the spams are all identical, I would do a Google search on some of the language in them to see if you can find any mention. Might also check the McAfee and Norton virus siets to see if they say anything useful . . .

[jbs]

Oh, and by all means, check some messages via the web interface, without having gone in through Outlook, and see whether they have this same corruption.

Especially if you can check the web interface to read a new message from this same "sender" before Outlook has logged in to get it (do you use POP or IMAP in Outlook). If the spam is there, then it's not something on your computer, but something either at Runbox or at the sender.

If the message is fine on Runbox but once it gets to your machine it's mangled, then it's almost certainly something on your machine.

If you're using POP, I'm not aware of any way that your POP client could corrupt the message on the server. If you're using IMAP, I suppose it's possible that an infection on your machine has also corrupted something on the server, which is why it would be ideal to check the web interface for a message that you've not yet downloaded.

Finally, have you checked with the "sender" to see whether they even sent you seven messages?

--Jason

[kpav]

Caverrn:

The emails originated from seven different sources, all of which are from different servers; so it does not appear to be a problem on the senders' end at either their computer or their email service. The only common link appears to have been their journey through the runbox server.

One of the emails had the following in the header:

"7Bit X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on oscar.runbox.com X-Spam-Status: No, score=4.3 required=5.0 tests=RCVD_IN_BL_SPAMCOP_NET, RCVD_IN_XBL autolearn=disabled version=3.0.1 X-Spam-Level: **** "

Others did not have the word "spam" at all.

The header on the "spam" portion included:

From xxxxxxx@compusenior.com Fri Apr 01 07:37:25 2005
Return-path: <xxxxxxx@compusenior.com>
Received: from exim by fetch.runbox.com with spamfilter (Exim 4.34)
id 1DHEqS-00055E-Pf
for **********@runbox.com; Fri, 01 Apr 2005 07:37:24 +0200
Received: from [220.175.156.174] (helo=compusenior.com)
by fetch.runbox.com with smtp (Exim 4.34)
id 1DHEqF-0004pd-AL; Fri, 01 Apr 2005 07:37:19 +0200
Message-ID: <F5877801.DB32005@compusenior.com>
Date: Fri, 01 Apr 2005 10:32:20 -0500
From: "corcoran" <xxxxxxx@compusenior.com>
User-Agent: Microsoft CDO for Windows 2000
X-Accept-Language: en-us
MIME-Version: 1.0
To: "Columbus Visnic" <xxxxxx@runbox.com>
Subject: Healthier lifestyle -- better alternative
Content-Type: text/html;
charset="us-ascii"
Content-Transfer-Encoding: 7bit
X-Spam-Checker-Version: SpamAssassin 3.0.1 (2004-10-22) on oscar.runbox.com
X-Spam-Status: No, score=3.3 required=5.0 tests=DATE_IN_FUTURE_06_12,
HTML_10_20,HTML_MESSAGE,MIME_HTML_ONLY,URIBL_SBL autolearn=disabled
version=3.0.1
X-Spam-Level: ***

(Note: I blocked my email address with *** in the above text)

One of the senders has since send another message which was not hijacked as it passed through the runbox server.

Thanks for continuing to think about this strange occurance.

[kpav]

jbs:

I use POP on Outlook.

I have not verified with all seven messages, but several have been verified as legitimate messages.

[carverrn]

kpav,

That message did not originate at compusenior.com either. The IP 220.175.156.174 is from a server in China. So most likey the message itself originated from a spammer sending from China. But the "real" message part is still wierd.

You said the spam text and the real message text were separated by headers. Are these full headers including "Recieved:" lines or just the "To/From/Subject" headers?

Regards,
Rich

[kpav]

Caverrn:

Sorry, but when I shut down Outlook at the end of the day, all seven suspect emails were in the "deleted" folder and went to that great email graveyard in the sky, so I can't answer your question.

Thankfully, I only received that one batch of odd email and the rest of the day the process worked normally.

I will report any further issues to this site.

[carverrn]

In the future don't delete anything you are going to ask questions about.

It's really hard to resolve a problem if you have no evidence to show that it actually happened.

Maybe it was Outlook that messed things up. Maybe it merged messages during the download process.

Unfortunately we'll probably never know unless it happens again.

Or ... you didn't by chance leave copies on the server did you? Maybe you can still find them in your Runbox account if you did.

Regards,
Rich

[Sherry]

Quote:

Originally posted by kpav
(Note: I blocked my email address with *** in the above text)

[Moderator: I have also x'ed out the other email addresses that were revealed in this thread.]