[Esd-l] Weird behavior on some attachments

[Mark Wendt]

Eric,

At 11:33 AM 12/20/2001 -0500, you wrote:
> > Using Outlook 2002, it sees the attachment as a UUE attachment and it 
> defangs
> > the extension.
>
>(after some testing) Hmm.. you're absolutally right, it does.  I vaguely
>remember John saying something about that some time ago, but I didn't click
>that it really needed to be added until right now :-)
>
>The problem is quite simple actually.  The code which attempts to strip
>attachments is only looking at MIME attachments.  So uuencoded attachments
>cannot be stripped.  However, they can be poisoned.


         I guess I can live with the attachment being poisoned or having 
the extension mangled.  That at least keeps the damned executable from 
automatically running.


>I will try to throw a patch together for John which adds that functionality
>before this weekend.  If I don't make it before the weekend, it's going to 
>be a
>long time, as I'm going on vacation next week :-)  Also, just because I create
>a patch doesn't mean it will go in, there's a lot of considerations to be 
>taken
>in when adding new code to this.. for example -- apparently, the poor AIX guys
>have a limit on how big a script can be.. heh :-)

         Eric, I'd be happy to beta test your patch..... ;^}



>As far as the other problems you mentioned goes.. I can't really help you with
>that.  Our Outlook users are also getting the body of certain email 
>messages as
>a text attachment.  While it might be kinda neat if it didn't do that -- the
>advantages of having John's "defanger", as we call it, by far outway the
>disadvangage of making users double-click occasional text 
>attachments.  Sorry I
>can't help you more :-)  At one point I had been keeping track.. but I've 
>since
>lost count of the thousands of viruses John's defanger has blocked for 
>us.  The
>peace of being able to slowly stroll into the office on any given morning 
>can't
>be measured.. not needing to race to the anti-virus sites to try and download
>the latest definitions before their site gets bogged down by everyone else
>trying to get protect their systems.  Having John's system is a luxury, and he
>should probably be paid more then he is :-) (just remember this John when I
>send you a patch in a few hours ;-)


         Yes, it's a pretty nice feeling, that peace of mind thing.......


>To reiterate Mark's question -- by any chance, does anyone else know of a 
>tweak
>or two to keep Outlook from making the body of a message into a text
>attachment?

         Interesting test I did just now.  I sent myself two messages using 
Outlook 2000, both with the same attachment, the only difference being one 
email had a line of text in the body, and the other had nothing in the 
body.  The first one had the attachment stripped off perfectly, left the 
line of text in the body that was originally sent, and added the warning 
that the attachment had been stripped.  The second message, with no text in 
the original body, was received with the MIME encoded executable as the 
body of the text, and also had the warning message that the executable had 
been stripped.  I tried the same experiment using Eudora, and both time the 
email came through with the attachment stripped cleanly, and the warning 
message in the body, along with the original text in the first message and 
no text in the second. So it looks like Outlook does things a bit 
differently than Eudora.  Quite the understatement, that eh?  One thing I 
did notice, on the message where the MIME encoded exe ended up in the body, 
just before the gibberish started, there was this:

Content-Disposition: attachment;
filename="cfwindem.exe"
X-Priority: 3 (Normal)
X-MSMail-Priority: Normal
X-Mailer: Microsoft Outlook IMO, Build 9.0.2416 (9.0.2911.0)
Importance: Normal
X-MimeOLE: Produced By Microsoft MimeOLE V5.50.4522.1200


         Maybe it's choking on the X-MimeOLE part.


>   -Eric


Mark