Simmons Consulting, the Website of Toby Simmons

My Outlook is sending spam!! (But not really)

26
Oct

I was working at home late one evening this week and I was about to finish up the project I was working on and decided to make one more pass through my e-mail before going to bed. I launched Outlook to check my several accounts and, shortly after startup, I received a bunch of Delivery Status Notifications (DSNs) for messages I hadn’t sent.

This isn’t all that unusual, because there is a fairly common spamming technique known as spoofing. Basically, a spammer sends a bunch of spam and he adds a header that says that it is from you, so when that message gets rejected by the spam victims, all the bounce messages come back to you. I wasn’t alarmed at this because I’ve received messages like this before, but its prudent to check them anyway.

The thing to look for is to see where the original message was sent from … for example, the report might look like this:

Reporting-MTA: dns; mailserver.somedomain.com
Received-from-MTA: dns; pc123 (xx.xx.xx.xx)
Arrival-Date: Thu, 23 Oct 2008 22:51:33 -0500

The xx.xx.xx.xx will be the IP address of the sender, usually some poor hijacked/zombiefied computer in Thailand or Beijing.

Imagine my shock when I opened up the DSNs and they had MY IP ADDRESS listed as the sender. I started thinking this was some remarkable new spoofing technique because I knew my computer hadn’t sent the spam, that would mean my computer had been hijacked.

Knowing that our mail server logs never lie, I logged into the office through a VPN and started pouring through the SMTP logs. My blood ran cold when I ran across the entries showing that those messages had, indeed, been sent from my IP address. And to top it off, they had been sent using SMTP authentication. In other words, something had used my computer AND my password to send this spam.

I felt so violated.

I started doing research trying to find out what can infect Outlook like this and remain completely hidden. I searched for hours. I Googled nearly every permutation of “Outlook generated spam” and “Outlook is sending spam” that I could imagine.

There were several recent instances of others having this experience and I was becoming increasingly alarmed. What kind of super-virus had I become infected with? How could this have happened? I am normally quite paranoid and very safe regarding my online activities so I didn’t understand how I could have become infected … I was truly dismayed.

Some of the other occurrences I discovered included the following long threads (and none seemed to have an answer when I checked them):

I went to bed exhausted and felt defeated because I felt sure I had somehow let my computer become hijacked. I started a full system scan using Avast Professional and went to sleep.

The next morning, I got up early to check the results of the scan and, of course, it found nothing, so I started hunting again for the solution. I had seen a mention of how Outlook handles read-receipts in one thread, but I had dismissed it as unrelated, but I was starting to re-read the same posts over and over again, so I decided to read it more closely.

The title of the thread wasn’t alarming at all: Re: Outlook 2007 IMAP Bug. As I read the article closer, I realized it was describing exactly what had happened. And more importantly, it turned out this was not some super-bug-malware or infection. It is just a bug in Outlook 2003/2007.

I hadn’t become a spammer, after all!

How the bug works
The bug essentially works like this: Someone sends spam to your IMAP account with a read-receipt request in it from a spoofed e-mail account. Outlook downloads it, but you don’t read it because, well, its dirty, stinking spam. Then, you quit Outlook without deleting the message.

At some point, you delete this message from the server using a different mail client, let’s say webmail or maybe an iPhone. The next time Outlook launches, it will see that the message has been deleted and, since there was a read-receipt request attached to it, Outlook generates a friendly “your message was deleted before it was read” message that is sent automatically regardless of your read-receipt setting in Outlook.

I have Outlook set to ignore all read-receipts (I find them rather obnoxious) but apparently Outlook ignores this setting when it comes to sending NOT-read-receipts.

It seems in the last couple of months, spammers have started finding ways to exploit this more and more.

So, I finally posted a note in the Microsoft Outlook forums trying to find a way to turn off Outlook’s overzealous notifications, so hopefully I’ll get answer. I’ll update this post if and when I do.

Updated @ 2008-10-27 8:59 p.m. — I have opened a support ticket with Microsoft (using e-mail). We’ll see if I get any response that way, as well.

Comments (9) »

  1. Paul says:

    I was just looking into this also as I I have had the same type of Spam being sent from MY computer too! Two days of deep virus scans, spyware/malware scans and nothing detected!

    I use google apps for domains to host my email and I use google’s gmail interface as well as outloook (IMAP) to check my mail accounts.

    Would be great if you get a response from MS forums regarding a fix for this. I may even consider a new email client (Thunderbird maybe!) but I am tied to outlook because I sync my windows mobile and it all works great!

    WOuld be gratful if you could let me know if you get anything on a fix!

    Thanks and great work!

  2. David says:

    Yep same scare here! And I thought my computer was infected too. I was 10mins through my hunting when I fell on your post. Thank you!

    At least we know it is not a virus…

  3. Shawn says:

    me too! me too! Google apps with outlook 2007 via imap. What a serious pain in the @$$! Hopefully your post on the M$ site will be answered quickly.

    Cheers!

  4. phate says:

    Thanks man!! saved me a lot of worked! I was paniced as well – I had exactly same situation and I was paniced by that. I know feel good after reading your post. THANK YOU!!

  5. Kor says:

    I had the same problem!!!
    OMG! it was stuck read receipts!!

    use these instructions to remove them with a Microsoft tool!
    http://www.howto-outlook.com/howto/deletereadreceipt.htm

    Hope this helps!
    -Kor

  6. Hi guys,

    We found the workaround.

    ***THE PROBLEM***

    We had a user on our servers report this issue. After investigating the issue we did notice that Outlook 2003 and 2007 is causing this issue. The headers are showing that the messages are passing the end users local Outlook accounts and spammers found a new way to infiltrate. They basically BCC a number of spam targets and send you the spam message with a read reciept enabled. Once the message arrives and it is Not Read or if your Spam program deletes it sends the following

    To: [BCC Target]
    Subject: Not read: [Varying Subjects]
    Body:
    Your message

    To: [your address]
    Subject: [Varying Subjects]
    Sent: 9/25/2008 4:19 AM

    was deleted without being read on 3/28/2009 12:16 AM.

    ***The FIX***

    In Outlook 2003, access Tracking settings. — Tools, Options, Preferences, Email Options, Tracking Options.
    Select Use this Option to Decide how to Respond to Requests for Read Receipts.
    Select button Ask me before sending a response.
    Select OK

    *** The TEST***
    Remove Preview Pane by Selecting View Toggle Preview Pane
    Send a NEW test message to yourself and a backup email with ***Spam Test*** in Subject and Select Read Receipt. When the message arrives, highlight the message and delete. Emtpy Deleted Items Folder. The pop up will show to respond to the message. Check off the box to Not show this message again and select No to All.
    The read receipts response will not be sent and you will be protected.

    Say hello to Google Apps and give Microsoft the boot.

    WebCanDo Support

  7. PGC says:

    Great hack – worked like a dream.

    Thanks!

  8. Zo says:

    There is one more Outlook glitch to mention. I have a Windows XP SP3 with Microsoft Outlook 2003 SP3. I have setup several POP accounts within Outlook to access the Linux servers I personally own and send/receive personal and business email.

    Setting the “Tracking Options” does work. However, there is also a “Deleted” note which is sent to the original sender notifying them that you deleted their message. There is a “Read” note which can be turned off, then there is the “Deleted” note which apparently is Outlook communicating with the server and the server sending a “Deleted” note to the user who happens to be SPAMMERs, effectively telling them that this email address exists.

    The possible solution is to make sure the “Remove messages from the Server” is selected. This empties the mbox queue when checking email. Therefore, there is nothing for Outlook to communicate with the server since all of the messages have been downloaded from the server.

    It is a shame that we do not have a solution for this, especially when it affects their own software.

    Official Microsoft forum on this IMAP and POP issue:

    http://social.msdn.microsoft.com/forums/en-US/innovateonoffice/thread/82024df4-d5ec-4f89-b268-f824dc26c370/

  9. VD says:

    Here same problem. Microsoft Outlook 2010 ànd Outlook 2016, 32-bit, running on Windows 10 Home and Pro 64-bit. This is just awful. The option ‘Always ask..’ neither ‘Never send..'(our default) just are being ignored. The ‘MFCMAPI’ tool seems to work to manually delete these read confirmations. You can keep the app on while sending/receiving e-mails, it works real-time. You can see the nasty queue being filled as you receive your spam.

    Off course this is not the way anyone would like to maintain there daily use of Outlook. Because it is manually and easily to forget or oversee. And it asks a lot of energy out of your productivity to stay ‘alert’ of such an error. It is actually a horror scenario: your default mail account being actively abused by the legitimate software you pay Microsoft for, while this is error is around for many years and nowhere to find an official solution or workaround.

    Just talked on live chat with an official Microsoft Office Agent. He admitted that this is a bug that has not been solved. “We will have this relayed to our Research Engineers and have this marked as an ongoing bug.”

    The Agent asked me for a remote session to further ‘investigate’. I want to be gentle, but this I just had to refuse. I responded: It is not about I do not trust you. It is about you asking me (one guy) to help you (big corporation) sorting out your problems. While this is not something very incidentally, it is a bug that you acknowledge to be around for many, many years and actively being abused. Besides, my time is worth something. This error already costs me a fortune on energy, time and frustration, not to mention the credits on ‘spam detections’ by our smtp provider. You ‘investigating’ this matter on a individual level does not seems to make any sense at all.

    He replied: I understand. I will have to research on this some more and I will email you should there be an available workaround. I’m really sorry if no concrete answer was provided as the issue has something to do with the software’s design and implementation. I’d also like to apologize for the inconvenience this issue has caused you but please know that we are looking into this matter very carefully and the same information has been relayed to our Research Engineers for checking.

    I offered him to real-time forward all incoming e-mails on my account via the mailserver to him. So he can investigate anything at any way he likes, without consuming my time and trust on this.

    He did not reply to this, but sent a general e-mail about the support to me. Then he said I could mail some ‘screenshots’ and he just ended the live chat.

    You may attach the screenshot of the bug issue so we can pass this to our Research Engineer. We are very sorry if this issue has not been addressed. We will make sure to gather more information to fix this as soon as possible. For the meantime, You can also provide a feedback to our Feedback hub for Outlook (https://outlook.uservoice.com) or you can also post this issue to our Microsoft Community to help us get more information so other users can post or provide their sight on the said issue.

    If there is an update, I will post it here again.

    For now, conclusion:
    • Microsoft has no solution,
    • There is no real workaround
    • Microsoft politly excuses for this, and just leaves it there.

Leave a Reply

XHTML: You can use these tags: <a href="" title=""> <abbr title=""> <acronym title=""> <b> <blockquote cite=""> <cite> <code> <del datetime=""> <em> <i> <q cite=""> <s> <strike> <strong>