[15409] in bugtraq
Re: NAI WebShield SMTP does not scan base64 encoding
daemon@ATHENA.MIT.EDU (Sato, Ken)
Tue Jun 20 19:34:14 2000
Mime-Version: 1.0
Content-Type: text/plain; charset="iso-8859-1"
Message-Id: <413AFAD82620D31190200090274F05FE0132C8DC@TBHWMIS2.metpath.com>
Date: Tue, 20 Jun 2000 17:10:42 -0400
Reply-To: "Sato, Ken" <Satok@QUESTDIAGNOSTICS.COM>
From: "Sato, Ken" <Satok@QUESTDIAGNOSTICS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
Content-Transfer-Encoding: 8bit
Chris, Destry,
Yes, I've had the same problem too. Because MS is too selfish to release
the precise specs on the MS-TNEF encoding scheme, NAI is unable to write a
reliable API to decode MS-TNEF.
The work around for this is to install Groupshield for exchange.
Groupshield is installed at the mail servers, so the MS-TNEF is stripped by
the MS-Exchange before Groupshield scans the files.
Rgds,
+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
Ken, Information Security
>-----Original Message-----
>From: Fronck, Destry [mailto:DFronck@FDIC.GOV]
>Sent: Tuesday, June 20, 2000 2:38 PM
>To: BUGTRAQ@securityfocus.com
>Subject: Re: NAI WebShield SMTP does not scan base64 encoding
>
>
>Chris,
>This problem is not caused by base64 encoding. It is caused by
>the message
>being encoded in MS-TNEF (Microsoft Transport Neutral
>Encapsulation Format.)
>and then getting base64 encoded.
~snip snip
>-----Original Message-----
>From: chris.paget@ANALYSYS.COM [mailto:chris.paget@ANALYSYS.COM]
>Sent: Tuesday, June 20, 2000 9:08 AM
>To: BUGTRAQ@SECURITYFOCUS.COM
>Subject: NAI WebShield SMTP does not scan base64 encoding
>
>While investigating todays virus outbreak (Stages.Worm), I noticed
>that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50,
>DAT 4.0.4082, 14/06/00) was not picking up all attachments.
>The server is configured to block all SHS, VBS, etc attachments, and
>notify the sender. However, when these are sent as Base64 encoding
>(rather than 8-bit), they are passed by the server, and could
>potentially infect the network. 8-bit attachments are successfully
>scanned (and blocked if necessary).
>
>Chirs
