[esd-l] Re: Inline attachments.

John D. Hardin jhardin at impsec.org
Tue Jan 31 10:40:34 PST 2006


On Tue, 31 Jan 2006, Smart, Dan wrote:

> A user received what should have been a PowerPoint and PDF files
> as ATT####.DAT files.
> 
> I found the following on this issue... The attachment is named
> FILE.EXT, C.DTF, ATT0001.DAT (the number may vary as can the DAT)
> or xxxx.ATT (the xxxx varies). The original file name got lost
> during forwarding of the message or it was intended as an in-line
> attachment with no name and the receiving mail program or a server
> or mail program along the way doesn't support inline attachments
> and so generated a name. You will need to save the attachment,
> determine its correct file type and rename it. You may need to
> contact the sender to determine the correct file type. For some
> additional information, see the Identifying Attachment File Types
> section. This could also be part of an AppleDouble attachment (see
> Macintosh Notes).
> 
> Could this be an inline attachment? Is Sanitizer doing this?

The sanitizer would not be the cause. The filename mangling does not
lose any of the original filename information, it only adds to it.

Or is that the question you are asking?

The sanitizer is primarily filename based, with some magic for
detecting windows executables and some handling of MIME types.

There is at present no checking of the attachment file for magic to
determine type beyond Windows Executable, though that is on the to-do
list.

If the attachment needs to be saved and renamed, then it will not be
reflex-click-openable and will be subject to virus scanning on the
user's desktop (you *do* have a multilayered defense, right? :) when
saved.

> And is there a way to stop it for a sender, recipient, etc.

Yes, it's possible to customize the behavior of the sanitizer to a
very fine grain using the capabilities inherent in procmail to select
from multiple sets on configuration variables. This is one reason why
the sanitizer is still a procmail recipe.

Or am I totally off base?

--
 John Hardin KA7OHZ    ICQ#15735746    http://www.impsec.org/~jhardin/
 jhardin at impsec.org    FALaholic #11174    pgpk -a jhardin at impsec.org
 key: 0xB8732E79 - 2D8C 34F4 6411 F507 136C  AF76 D822 E6E6 B873 2E79
-----------------------------------------------------------------------
  The first time I saw a bagpipe, I thought the player was torturing
  an octopus. I was amazed they could scream so loudly.
                                        -- cat_herder_5263 on Y! SCOX
-----------------------------------------------------------------------
 12 days until Abraham Lincoln's 197th Birthday



More information about the esd-l mailing list