I am using multisite (not that I think that's the problem) and the main network administration panel is behind another domain name. When I am editing my current domain admin area, if I attempt to go to the network admin area (different url) sometimes there is some attempt at SMTP communications. It appears before all other source of the page and is presented in html at the top of my login page. And cookies get disabled because of the unexpected response. If I attempt login again, it logs in as normal and I can on.
This is a hard problem to reproduce, as it doesn't happen every time, although it seems to happen if I haven't attempted to login for some indeterminate period of time.
The comms are attempting to send an email via my host provider, but (luckily) the connection is never made (or not that I am aware of anyway). I have checked the usual suspect files, but I can't see any malicious code that I would normally expect to find at the head of any file or hidden behind base64 or obfuscated code.
Because this happens so rarely (probably once a day, twice maybe) it is hard to reproduce, as a result it is hard for me to determine where to find the problem.
It ONLY appears on the login page, and only for the network login. I'm after some suggestions of where I should be looking.