Re: [PLUG] Weird handling of incoming attachments in dovecot--winmail.da

Greg Helledy on 17 Jan 2018 14:49:16 -0800

[Date Prev] [Date Next] [Thread Prev] [Thread Next] [Date Index] [Thread Index]

Re: [PLUG] Weird handling of incoming attachments in dovecot--winmail.dat file

From: Greg Helledy <gregsonh@gra-inc.com>
To: plug@lists.phillylinux.org
Subject: Re: [PLUG] Weird handling of incoming attachments in dovecot--winmail.dat file
Date: Wed, 17 Jan 2018 17:49:16 -0500
Dkim-signature: v=1; a=rsa-sha256; q=dns/txt; c=relaxed/relaxed; d=gra-inc.com ; s=default; h=Content-Transfer-Encoding:Content-Type:In-Reply-To: MIME-Version:Date:Message-ID:From:References:To:Subject:Sender:Reply-To:Cc: Content-ID:Content-Description:Resent-Date:Resent-From:Resent-Sender: Resent-To:Resent-Cc:Resent-Message-ID:List-Id:List-Help:List-Unsubscribe: List-Subscribe:List-Post:List-Owner:List-Archive; bh=a1v3LdfDI382q/IKd9gz7JRmosAr6EHayX9EFdOMLZg=; b=C0TiMxmfgqNYJTr0jnIvLxSVnd wi8WAJdHH+rM6G763M9463xls494c/R0YfW1A36NcVNf+VhO0U5a2YB5q0SqPIVktJ2wTPLgN9z3G BNBNcDy7mU7u6hCzQ1L2cIGFwJBqr2zFC9act4/RR7vbpbZIbAsqE0/eBH2m+cbQ+tM4QMXghg8sk Ma26gNmNy6S/1y9QSHmna9UfOeQCRxtge1WApkV/8/gLcemJW55Htk6dD12nDzKy1hHWXs8Vl8NVo zS7dYr9WbnSMBszTRpQeY3esGXkZ6nX3YdLDSmsiBwszTyc9L9Z7bHOklFyWzBnYgGuQ+wRNx1RbI DbCnZgew==;
Organization: GRA, Incorporated
Reply-to: Philadelphia Linux User's Group Discussion List <plug@lists.phillylinux.org>
Sender: "plug" <plug-bounces@lists.phillylinux.org>
User-agent: Mozilla/5.0 (Windows NT 6.1; WOW64; rv:52.0) Gecko/20100101 Thunderbird/52.5.2

On 1/17/2018 3:00 PM, plug-request@lists.phillylinux.org wrote:

assuming your clients are using IMAP and not POP3 (without "leave on
server" enabled), check the raw message for one of those emails. the
path for this is going to change depending on configuration, but most
likely it's in one of:

/var/vmail/
/var/spool/mail/
/home/<user>/Maildir

etc.



/home/<user>/mail/


find a message that is reported as having a winmail.dat. open it in vi
or less or something that'll do plaintext. you should see a big ol'
block of base64 and*the actual filename above it*. this is the
attachment. if my theory is correct, this is going to be "winmail.dat".


Content-Disposition: attachment; filename="winmail.dat"
Content-Transfer-Encoding: base64
Content-Type: application/ms-tnef; name="winmail.dat"


if it IS, check your MTA setup - message filtering? does it do any
rewriting, quarantining, etc.?

Not that I can see. The thing is that this does not affect all myusers...and I certainly don't know how something like this would get seton a per-user level without me knowing about it.


if you've gone over all this and are not finding anything that's
modifying content, then it's almost assuredly on the sender's end.[0]
whether in the MUA, MTA, or MDA, however, i'm not sure. i don't know if
you're at liberty to say, but are all these faulty attachments from a
specific department in the given agency? if so, it may be a certain
workstation policy being applied to all windows desktops/outlook configs
in a given AD domain (or whatever they're called now). but that's kind
of on the crazier end of theories. gut tells me it's something in their MDA.

Yes, I believe everyone generating these winmail.dat emails is in factin the same "office" within the agency. Whether people in differentparts of the same agency would produce the same result, I don't know.

I really wonder whether it's that address-book glitch. Anyway, I'mpretty sure you're right, it's not my software that's doing this, it'stheir Outlook or mail server.


Thanks for the ideas!

--
Greg Helledy
GRA, Incorporated
P:  +1 215-884-7500
F:  +1 215-884-1385
www.gra.aero

___________________________________________________________________________
Philadelphia Linux Users Group         --        http://www.phillylinux.org
Announcements - http://lists.phillylinux.org/mailman/listinfo/plug-announce
General Discussion  --   http://lists.phillylinux.org/mailman/listinfo/plug

Prev by Date: Re: [PLUG] Weird handling of incoming attachments in dovecot--winmail.dat file
Next by Date: [PLUG] Windows Native SFTP Client
Previous by thread: [PLUG] DHCP, BIND security advisories
Next by thread: [PLUG] Windows Native SFTP Client
Index(es):
- Date
- Thread