[15412] in bugtraq
Re: NAI WebShield SMTP does not scan base64 encoding
daemon@ATHENA.MIT.EDU (Andre Albsmeier)
Wed Jun 21 14:01:45 2000
Mime-Version: 1.0
Content-Type: text/plain; charset=iso-8859-1
Content-Disposition: inline
Content-Transfer-Encoding: 8bit
Message-Id: <20000621143634.A78450@curry.mchp.siemens.de>
Date: Wed, 21 Jun 2000 14:36:34 +0200
Reply-To: Andre Albsmeier <andre.albsmeier@MCHP.SIEMENS.DE>
From: Andre Albsmeier <andre.albsmeier@MCHP.SIEMENS.DE>
X-To: "Sato, Ken" <Satok@QUESTDIAGNOSTICS.COM>
To: BUGTRAQ@SECURITYFOCUS.COM
In-Reply-To: <413AFAD82620D31190200090274F05FE0132C8DC@TBHWMIS2.metpath.com>;
from Satok@QUESTDIAGNOSTICS.COM on Tue, Jun 20,
2000 at 05:10:42PM -0400
On Tue, 20-Jun-2000 at 17:10:42 -0400, Sato, Ken wrote:
> Chris, Destry,
>
> Yes, I've had the same problem too. Because MS is too selfish to release
> the precise specs on the MS-TNEF encoding scheme, NAI is unable to write a
> reliable API to decode MS-TNEF.
Hmm, there is a tool on the internet called fentum that decodes
MS-TNEF stuff under Unix. The author said, he wrote it based on
some docs from M$.
But, interestingly, the fentum.com domain doesn't exist anymore.
Maybe the M$ people jumped in there and said "Stop that". Wouldn't
surprise me :-(
-Andre
>
> The work around for this is to install Groupshield for exchange.
> Groupshield is installed at the mail servers, so the MS-TNEF is stripped by
> the MS-Exchange before Groupshield scans the files.
>
> Rgds,
>
> +-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-+-
> Ken, Information Security
>
> >-----Original Message-----
> >From: Fronck, Destry [mailto:DFronck@FDIC.GOV]
> >Sent: Tuesday, June 20, 2000 2:38 PM
> >To: BUGTRAQ@securityfocus.com
> >Subject: Re: NAI WebShield SMTP does not scan base64 encoding
> >
> >
> >Chris,
> >This problem is not caused by base64 encoding. It is caused by
> >the message
> >being encoded in MS-TNEF (Microsoft Transport Neutral
> >Encapsulation Format.)
> >and then getting base64 encoded.
> ~snip snip
>
> >-----Original Message-----
> >From: chris.paget@ANALYSYS.COM [mailto:chris.paget@ANALYSYS.COM]
> >Sent: Tuesday, June 20, 2000 9:08 AM
> >To: BUGTRAQ@SECURITYFOCUS.COM
> >Subject: NAI WebShield SMTP does not scan base64 encoding
> >
> >While investigating todays virus outbreak (Stages.Worm), I noticed
> >that our email virus scanner (NAI WebShield SMTP 4.5, engine 4.0.50,
> >DAT 4.0.4082, 14/06/00) was not picking up all attachments.
> >The server is configured to block all SHS, VBS, etc attachments, and
> >notify the sender. However, when these are sent as Base64 encoding
> >(rather than 8-bit), they are passed by the server, and could
> >potentially infect the network. 8-bit attachments are successfully
> >scanned (and blocked if necessary).
> >
> >Chirs
