Digging around the forums it seems as though it's quite a common thing for hosts to do. They add some domain name as the From: header and sets "On behalf of" to whatever you specify as From: in your script. Like I said, the overriding From: header is not seen as valid by Outlook so I cannot add it to the safe list.

I should mention that this seems to be specific to Outlook 2007. Outlook 2003 as well as other email client software handle these emails correctly. I have my spam setting set to Low.

A quick fix would be to be able to manually modify the rule details, from which the string Password is marked as safe. If I would be able to do it on group policy level, even better!

Another observation is that there appears to be a hierarchy to the rules. If I send an email with the subject 'Password Viagra' from (on behalf of) viagra [at] cheapviagra.com it quite rightly ends up in junk.