--
On Wed, Jul 17, 2002 at 11:40:00AM +0100, Erik Erskine wrote:
| I've been using the filter at ftp://ftp.exim.org/pub/filter, this is
| helpful.
|
| It stops attachments with a .eml extension, and I've had users complain
| that they are unable to forward mails containing other attachments.
| Their mail client (Mozilla on Windows) sends a message with an
| attachment "ForwardedMessage.eml" which itself contains the other
| attachments.
|
| I've had to remove the check for .eml from the filter. What messages
| will now pass through that shouldn't? I'm assuming that any executable
| content will be caught by checking the nested attachments.
EML is a (Microsoft) way of serializing arbitrary OLE objects. The
EML can contain _anything_, including just a simple email message or a
worm.
The problem is some setting in the client. It shouldn't be wrapping
up messages like that. A number of people use mozilla here and their
forwards are normal (rfc(2)822) mail messages. I've never seen a
mailer do what you describe, though I've heard tell of it before
(mostly with Lookout).
| Can anyone point me to an example of a problem .eml attachment?
Nimda.
The more well-known side of nimbda is the part that probes your system
for IIS. Once it gets inside an IIS system, it adds some (wonderful!)
javascript to all your pages. That JS opens a new window positioned
very far off-screen. It automatically downloads a .eml file (claiming
to be a wav) for IE/windows to "play" (execute). That starts the
email side of its propagation.
-D
--
The righteous hate what is false,
but the wicked bring shame and disgrace.
Proverbs 13:5
http://dman.ddts.net/~dman/
--
[ Content of type application/pgp-signature deleted ]
--
