Running OWA under Safari results in spam injected into HTML-based outgoing emails

Running OWA under Safari results in spam injected into HTML-based outgoing emails

Laptop=MBPro circa 2010, Yosemite 10.10.1; Safari 8.0.2 (+ Ghostery 5.4.1, AdBlock 2.15). Little Snitch 3.5.1 (turned on, always) and Apple firewall turned off.

When running my laptop, sending an email (in HTML format) using Outlook Web Application (OWA) running in Safari, the outgoing email "hello world" runs about 256KBytes and contains an HTML spam-blob. Sample of the spam-blob below.

I did not figure this out until a couple clients rejected my email (many did not) as spam. I thought it was their problem, but I am, it turns out, the spammer, unknowingly. If I send from my personal account at Earthlink WebMail, both rich-text or plain text emails go out without problems. Then I sent OWA email to myself in Hello World messages, which showed up in Earthlink in the spam bucket, containing 256KBytes.

What stops the spam:

1) In OWA, if I change options from HTML to PLAIN TEXT, the problem stops. I can turn this puppy on and off like a light switch.

Gear_icon -> Options -> Mail -> Layout -> Message format

2) If I run OWA under Firefox (35.0.1, with adblock and ghostery), the problem DOES NOT OCCUR. Rich text messages appear to be going out without spam injection.

What does not stop the spam:

3) I was working without a signature-appended, then added three lines of text I typed in. Turning signature on or off seems to have no effect on whether spam goes out or doesn't. I do not have a GIF or image in my sig.

4) Twiddling with Ghostery (whitelist site, or not, or off altogether) seems to have no effect.

5) Twiddling with AdBlock (suspend, or turn off altogetehr) seems to have no effect.

6) Problem occurs when I use a different mac mini running same revisions as the laptop.

7) Also, I recently installed a Java update (jre-8u31...) just a few days ago, but the spam injection has gone on before and after the change.

I do not have other browsers, nor do I have time to install and use yet another browser: I have to conduct business on these machines. I suspect Chrome would not have the problem.

I have tried sending email in the Apple mail client without seeing any problems, but I am NOT planning to hook up Apple mail to synch with the Outlook mailbox. That would be another data point. I just am running short of patience to configure one more email thing. And, I do not want to install Outlook Exchange on my mac.

And, I've tried looking for suspicious site-access in the Little Snitch monitor log (i.e. while running OWA) but don't see anything striking.

Do I have a virus? I don't know, but don't think so (stop laughing). I've run MacScan in authenticated mode a few times this month, doesn't find anything, and I've had a clean system with no problems really for years. Opened a support question for this issue with MacScan today.

I don't know what web-based Outlook is doing or scripting, but I highly suspect some virus is in the scripts that is injecting a spam payload into the web mail. ?? The only other Msft products installed are Office for Business, part of a package that I got with GoDaddy. I did NOT want the Outlook Exchange client, so I deleted it after the download and never installed Outlook as a client (poutlook ?).

I upgraded from OS 10.something (pre-Mavericks) to Yosemite maybe a month ago. I set up this Outlook web mail account around the same time for business email, from Godaddy (and they hire Microsoft to host the Exchange server). GoDaddy is the front-line support, I am not able to get support from Microsoft for this service.

I have been on the support line with GoDaddy and Earthlink a lot: Earthlink to help unblock the incoming stuff marked as spam so I could figure out why stuff went "missing." After 8 hours on the phone, GoDaddy has taken a few sample files (with and without spam) and seemed very interested to "escalate" it . Support seems to be leaning towards: sounds like a bug in Safari, try Chrome or Firefox ! But GoDaddy you do not get issue-tickets, there is not a web forum to watch the investigation: it went down a dark hole AFAIK. And I truely believe there is some type of security breech and a hole in safari that needs to be plugged.

Since I can't find a "security" heading in Apple user forums (nor at GoDaddy - what forums?), I am hoping to redirect Apple security team to look at his. Seriously: whatever this payload is, it could be nastier. Right now it just seems to take up space.

And, I could try the upgrade to Yosemite 10.10.2 (that came out, like, yesterday). I will wait for the gnashing of teeth to subside on the forums, to see if 10.10.2 upgrade will disrupt my work! (And, it will wait until I drive 1.5 hours to where there is a connection faster than rural DSL to download an OS upgrade. Hello Apple, you left behind us folks who live rural.)

Here is a sample blob of the spam that is being injected. I have a few text files of it (full headers etc). I am replacing the HTML chars left-arrow and right-arrow with left-paren and right-paren, so this blob won't get interpreted...

(html)

(head)

(meta http-equiv=3D"Content-Type" content=3D"text/html; charset=3Diso-8859-=

1")

(style type=3D"text/css" style=3D"display:none")(!-- p { margin-top: 0px; m=

argin-bottom: 0px; } .widget_sej_sidebar_ad, .widget_sidebaradwidget, .widg=

et_sponsored_content, .widget_uds-ads, .widget_vb_sidebar_ad, .widget_wnd_a=

.... and so on for a long long while

[onclick^=3D"window.open('http:JUNK/search/"]=

, a[data-redirect^=3D"this.href=3D'http://JUNK/redir?"=

], a[href$=3D"/JUNK.shtml"], a[href^=3D" http://ads.JUNK/"], a[hre=

f^=3D"http://JUNK/"], a[href^=3D"http://JUNK/"], =

... and more and more.