[Esa-l] TNEF encoding a "big gaping hole?" :)

Brett Glass brett at lariat.org
Sun Nov 5 17:05:28 PST 2000

The Sanitizer should have an option to strip TNEF attachments. As
Microsoft writes at


TNEF attachments can contain active content such as OLE objects,
and can also embed attachments in other formats -- including
worms and viruses.

Microsoft Outhouse Express always discards TNEF attachments, and 
Microsoft Expunge Server has a built-in option to do so.

It doesn't make sense to quarantine messages with them, but it does
make sense to strip them out silently. A few minor (and possibly
exploitable) Outhouse features, such as voting, won't work if
this is done, but it's better than letting a worm slip by.


At 04:30 PM 11/5/2000, Bjarni Runar Einarsson wrote:
>I just wanted to post a "heads up", for those of you who aren't paranoid
>yet about those winmail.dat files.  I apologize if this is old news or
>already handled by the sanitizer...
>Anyway, according to Microsoft's web site winmail.dat files or
>application/ms-tnef files can contain all sorts of evil stuff, including
>complete attachments.  So I'm advising people to put winmail.dat on their
>blacklists - and if John agrees and hasn't already, he should consider
>mangling the MIME type as well, since it may suffice even without the file
>P.S. I'm writing this from memory, and the MIME type may not be
>"application/ms-tnef".  Go check in the Microsoft knowledge base what to
>block before blocking anything.
>Bjarni R. Einarsson                           PGP: 02764305, B7A3AB89
> bre at netverjar.is              -><-             http://bre.klaki.net/
>Netverjar gegn ruslpósti: http://www.netverjar.is/baratta/ruslpostur/
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com

More information about the esd-l mailing list