[esd-l] RE: Inline attachments.

Smart, Dan SmartD at VMCMAIL.com
Wed Feb 1 08:23:16 PST 2006 

It is coming from GroupWise.  Note the attachment has the type: application/vnd.ms-powerpoint.  What I got was an attachment that says ATT55669.DAT.

Here's the headers in Outlook:
===============SNIP========================================
Microsoft Mail Internet Headers Version 2.0
Received: from COBHM007.na.vul.com ([172.30.205.107]) by COBHM005.na.vul.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Wed, 1 Feb 2006 09:54:15 -0600
Received: from lewis.vul.com ([205.235.121.26]) by COBHM007.na.vul.com with Microsoft SMTPSVC(5.0.2195.6713);
	 Wed, 1 Feb 2006 09:54:15 -0600
Received: by lewis.vul.com (Vulcan E-mail Relay, from userid 502)
	id 474149BB23; Wed,  1 Feb 2006 09:54:15 -0600 (CST)
Received: from mail97.messagelabs.com (mail97.messagelabs.com [216.82.244.131])
	by lewis.vul.com (Vulcan E-mail Relay) with SMTP id 695569BB23
	for <smartd at vmcmail.com>; Wed,  1 Feb 2006 09:54:12 -0600 (CST)
X-VirusChecked: Checked
X-Env-Sender: slake at sternstewart.com
X-Msg-Ref: server-2.tower-97.messagelabs.com!1138809206!51534357!1
X-StarScan-Version: 5.5.9.1; banners=-,-,vmcmail.com
X-Originating-IP: [38.162.225.2]
X-SpamReason: No, hits=0.0 required=7.0 tests=Mail larger than max spam 
  size
Received: (qmail 19077 invoked from network); 1 Feb 2006 15:53:26 -0000
Received: from smtp.sternstewart.com (HELO sternstewart.com) (38.162.225.2)
  by server-2.tower-97.messagelabs.com with SMTP; 1 Feb 2006 15:53:26 -0000
Message-Id: <s3e08ca0.047 at sternstewart.com>
Date: Wed, 01 Feb 2006 10:25:07 -0500
From: "Sueann Lake" <slake at sternstewart.com>
To: <smartd at vmcmail.com>
Subject: just rec'd you em
Mime-Version: 1.0
X-Security: message sanitized on lewis
	See http://www.impsec.org/email-tools/sanitizer-intro.html
	for details. $Revision: 1.152 $Date: 2006/01/23 19:26:23 
Content-Type: multipart/mixed; boundary="=_F9DB57E0.CBAAB6B6"
Return-Path: slake at sternstewart.com
X-OriginalArrivalTime: 01 Feb 2006 15:54:15.0467 (UTC) FILETIME=[C0A26FB0:01C62747]

--=_F9DB57E0.CBAAB6B6
Content-Type: text/plain; charset=US-ASCII
Content-Disposition: inline
Content-Transfer-Encoding: quoted-printable

--=_F9DB57E0.CBAAB6B6
Content-Disposition: attachment; filename="Matrix.ppt"
Content-Type: application/vnd.ms-powerpoint
Content-Transfer-Encoding: base64


--=_F9DB57E0.CBAAB6B6--

=========================SNIP=======================
 

> -----Original Message-----
> From: esd-l-bounces at impsec.org 
> [mailto:esd-l-bounces at impsec.org] On Behalf Of John D. Hardin
> Sent: Tuesday, January 31, 2006 6:01 PM
> To: Email Security Discussion list
> Subject: Re: [esd-l] RE: Inline attachments.
> 
> On Tue, 31 Jan 2006, Jonathan Hutchins wrote:
> 
> > On Tue, January 31, 2006 12:49, Smart, Dan wrote:
> > 
> > > So something upstream is mangling the attachments?
> > 
> > My primary suspect would be the originator.  A lot of 
> Windows software 
> > plays games to hide file extensions these days, and that 
> often results 
> > in a lost file extension.  It could also be on a system 
> that uses the 
> > "Magic Number" bits at the beginning of the file, or as you 
> suggested, 
> > a Mac multipart file with no extension.
> 
> For some reason the voices in my head are whispering 
> "Eudora". Dan, is it possible that your C*O's correspondent 
> is using that mail client?
> 
> --
>  John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
>  jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
>  key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
> --------------------------------------------------------------
> ---------
>   The first time I saw a bagpipe, I thought the player was torturing
>   an octopus. I was amazed they could scream so loudly.
>                                         -- cat_herder_5263 on Y! SCOX
> --------------------------------------------------------------
> ---------
>  12 days until Abraham Lincoln's 197th Birthday
> 
> _______________________________________________
> esd-l mailing list
> esd-l at impsec.org
> http://www.impsec.org/mailman/listinfo/esd-l
> 
> 
> 


______________________________________________________________________
This e-mail has been scanned by MCI/MessageLabs Managed Email Service.

More information about the esd-l mailing list