COMMAND

    NAI WebShield

SYSTEMS AFFECTED

    NAI WebShield SMTP

PROBLEM

    Chris Paget found following.   While investigating virus  outbreak
    (Stages.Worm),  he  noticed  that  NAI  WebShield SMTP 4.5, engine
    4.0.50, DAT 4.0.4082, 14/06/00 was not picking up all attachments.
    The server is configured to  block all SHS, VBS, etc  attachments,
    and notify  the sender.   However, when  these are  sent as Base64
    encoding (rather than 8-bit), they  are passed by the server,  and
    could  potentially  infect  the  network.   8-bit  attachments are
    successfully scanned (and blocked if necessary).

    Further investigation showed this problem is not caused by base64
    encoding.  It is caused by the message being encoded in MS-TNEF
    (Microsoft Transport Neutral Encapsulation Format) and then
    getting base64 encoded.  MS-TNEF is used when Outlook sends Rich
    Text information over the Internet.

SOLUTION

    NAI knows that this is a problem but they have been unable to  fix
    it.  The  workaround  for  this  is  to  install  Groupshield  for
    exchange.  Groupshield  is installed at  the mail servers,  so the
    MS-TNEF is  stripped by  the MS-Exchange  before Groupshield scans
    the files.

    Exchange Server
    ===============
    To configure MS  Exchange to not  use ms-tnef follow  these steps.
    Controlling the feature from the Microsoft Exchange  Administrator
    program:   The Microsoft  Exchange Administrator  program provides
    manipulation of this  property for all  outbound mail via  the IMC
    in two  ways: Globally  (all mail  is encoded  with the  specified
    option),  which  overrides  the  originators  selection,  or   per
    destination  domain  (messages  sent  to  a  specific  domain  are
    encoded  using   a  specified   option).    Each  of   these   two
    considerations share three options:

        1. Encode based on whatever the originator has specified (User).
        2. [Always] send in Microsoft Exchange Rich Text format (TNEF).
        3. [Never] send in Microsoft Rich Text format.

    The global setting is  found on the Internet  Mail tab of the  IMC
    properties  page  under   Message  Content  Information,   Sending
    Attachments Using, and the  Interoperability button.  In  addition
    to  specifying  TNEF,  the  Microsoft  Exchange  administrator can
    specify  other  options  such  as  the  encoding  method  (MIME or
    UUencode)  and  Character  Set  translation.   Setting  the global
    setting to [Never] send in Microsoft Rich Text Format will  ensure
    that WebShield  SMTP will  be able  to scan  all outbound  traffic
    from your  Exchange server.

    Exchange Clients
    ================
    To configure Exchange clients to  not use ms-tnef set the  message
    type to plain text.  TNEF  can be controlled in three places,  and
    is different depending on  your installation of Outlook  (Internet
    Mail Only, or Corporate or Workgroup).

        - Global: Changing your default  mail format to Plain Text  or
          HTML  will  help  ensure  that  TNEF  is  not sent unless an
          Outlook feature needs it.
        - Per  Message: If  the message  is a  Rich Text  Format (RTF)
          message,  and  you  are  using  the Internet Mail Only (IMO)
          installation of Outlook,  you can turn  on or turn  off TNEF
          for one message at a time.
        - Per  Recipient: You  can specify  in the  recipient's e-mail
          address  to  not  send  TNEF,  so  that  a  recipient always
          receives plain text versions of the message.

    As you can  see from the  above descriptions there  isn't a global
    method of turning off ms-tnef  in the exchange client as  the only
    way of forcing ms-tnef not to be used is to specify this for  each
    recipient  individually.   Please  see  the  following  MS TechNet
    articles for more detailed information on specific clients.

        Q136204 - Exchange client/Outlook all other versions.
        Q196784 - Outlook 2000.
        Q197064 - Outlook 2000.
        Q193117 - Outlook 98.
        Q193118 - Outlook 98.

    WebShield SMTP V4.5
    ===================
    To setup  WebShield SMTP  4.5 to  block all  messages of  the type
    ms-tnef you will need to enable content filtering and add a filter
    for body  text "Content-Type:  application/ms-tnef" you  will also
    need to add a filter for Attachment file name "winmail.dat".   The
    first filter is for messages  received in mime formatting and  the
    second is for Uuencoded messages.

    The are several tools to decode TNEF encoding:

    - TNEF by Mark Simpson
      (this code is under the GLP)
        http://world.std.com/~damned/software.html
        http://freshmeat.net/appindex/1999/10/13/939847359.html

    - Fentum (for Windows 95, Linux and source; watch those N's).
        http://www.fentun.com

    - LS-TENF: a Java based TNEF decoder
        http://www.mirrorworlds.com/tnef/lstnef.zip

    - The Convert::TNEF perl module by Doug Wilson; see CPAN

    - Another TNEF decoder from Thomas Boll is available at
        http://slappy.org/listarchives/xfmail/1999-October/000273.html

    Also, a number of SMTP-based  mail scanning products scan TNEF  in
    shipping versions.   It seems  the problem  has been  fixed in the
    latest  version  of  the  product.   Version  4.5 with DAT version
    4.0.4082 appears to work correctly.