Results 1 to 7 of 7
  1. #1
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Invisible Attachments (Outlook98)

    I seem to be finding out that Outlook98 does NOT always display attachments even though an email HAS an attachment. If I check the properties of the email, it says the email "Contains 1 included file" (see <A target="_blank" HREF=http://www.dslreports.com/r0/download/48205;02cd07a04111085f9c52180a0d7b7fb3/MIMEProperties.jpg>image</A>). YET, Outlook does not show me the paper clip or any other indication that the attachment is there.

    It seems to be hiding the fact that there is an attachment. If I sent myself the same email to OE, the attachment and paper clip show up as expected. What is going on?? Thanks.

  2. #2
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Invisible Attachments (Outlook98)

    the attachment is likely an image - possiblely a "web bug" transparent image.

  3. #3
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Invisible Attachments (Outlook98)

    No, it truly is not a web bug. A "web bug" is a "link" to an image that is INSIDE an HTML document. The link takes you to another web site to retrieve the image. That is not -- and by definition cannot be -- an "attachment". The web bug is IN the HTML code -- it is *not* attached separately.

    I already KNOW what the attachment is -- it is a .vbs file. BUT, Outlook98 does not show that it exists.

    Perhaps more visual images are needed. this -- WITH the paper clip and obvious attachment.

    You will notice the emails have the same name and the same source -- they are the same email. One is in Outlook98 and it does *not* show the attachment. The other is OE6 and it does show the attachment. Yet, both of them contain the attachment. The Properties window <A target="_blank" HREF=http://www.dslreports.com/r0/download/48205;02cd07a04111085f9c52180a0d7b7fb3/MIMEProperties.jpg>link</A> above SHOWS you that the attachment is "included" -- it is just "hidden"... To me, this is disturbing.

  4. #4
    Platinum Lounger
    Join Date
    Jan 2001
    Location
    Roanoke area, Virginia, USA
    Posts
    3,729
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Invisible Attachments (Outlook98)

    it's hidden because it's embedded in the html code and not attached like a normal attachment. outlook hides things etc that are embedded in html because it confuses users and they go looking for an attachment. Never versions show these embedded items as attachments and when someone new gets stationary they ask where the attachment is. They never consider they are looking at it. <img src=/S/grin.gif border=0 alt=grin width=15 height=15> you would not believe the number of help desk calls we get over these missing attachments. <img src=/S/laugh.gif border=0 alt=laugh width=15 height=15>

  5. #5
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Invisible Attachments (Outlook98)

    I am not sure if it is embedded in the HTML code or not -- I certainly do not SEE it in the code.

    If I select "View Source" -- which is supposed to SHOW me the HTML code -- or if I save the file as "HTML" and open it later -- there is NO record of this file. The file DOES exist -- it is a .vbs file. If I examine the HTML code, there is NO such code in the HTML. Nor is there a link to such code.

    The Properties box knows there is an "included" file. Would the Properties box call Embedded code "Included"? Thanks.

  6. #6
    Lounger
    Join Date
    Nov 2001
    Location
    MI, USA
    Posts
    33
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Invisible Attachments (Outlook98)

    I don't remember much about Outlook 98, but in 2000, we have a script icon instead of the paperclip.
    Try the following -- open the HTML email, view the source and save it as test.html.

    Now, look for any embedded scripts, as I recall with 98, what OutlookExpress was trying to tell you is that the HTML was loaded with a script. In your case a vbs script.

    When you locate the script (not a file, but the embedded vbs script), delete all of it (everything from <SCRIPT ... to ... </SCRIPT>) and save it as test2.html

    Now open both test1 & test2 in internet explorer, click on EDIT | SELECT ALL, then copy each page and paste them into respective new emails and send them back to yourself. When you receive them, the one with the script(s) intact will act the same as before, whereas the "neutered" email will show no attachment.

    Now you know.
    By the way, if one doesn't know/trust the source of the email, why would anyone open it? It could easily be malicious, even if it came from a friend. They could easily pass that on in ignorance. However, it could easily be innocent in that someone sent you a webpage from a site with embedded scripts. Receiver beware :<)

    AJF

  7. #7
    Silver Lounger
    Join Date
    Jan 2001
    Location
    Long Beach, California, USA
    Posts
    1,912
    Thanks
    0
    Thanked 0 Times in 0 Posts

    Re: Invisible Attachments (Outlook98)

    The source of the email is known as is the .vbs file. In fact the source is a test of email defenses. While the site is advertising their product, their test is a GOOD test of how safe your email client is. <A target="_blank" HREF=http://www.gfi.com/emailsecuritytest/>Here</A> is the site. After verifying your email address, it will send you four pieces of email that will each test a different aspect of email security. The tests include:

    VBS attachment vulnerability
    CLSID extension vulnerability
    MIME header vulnerability
    ActiveX vulnerability

    While analyzing the results of these tests, we noted that Outlook98 responded differently that other email clients. Other email clients show that the MIME Header vulnerability test email contains an attachment. However, Outlook98 does not. No one knew why.

    So I brought my question to the experts here.

    Examing the HTML shows NO obvious Script tags. In fact, I can Search for the word "Script" and none is found. The HTML has NO script in it.

    Below is a copy of the HTML -- see for yourself:

    <META HTTP-EQUIV="Content-Type" CONTENT="text/html;charset=iso-8859-1">
    <!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
    <HTML><HEAD>
    <META http-equiv=Content-Type content="text/html; charset=iso-8859-1">
    <META content="MSHTML 6.00.2600.0" name=GENERATOR>
    <STYLE></STYLE>
    </HEAD><BODY>
    <font face="Arial, Helvetica, sans-serif"><FONT size=2> <IFRAME src="cid:GFI" width=0 height=0></iframe>
    </FONT></font><FONT face=Arial><FONT size=2>
    <DIV><font face="Arial, Helvetica, sans-serif">Dear R2, </font>


    <font face="Arial, Helvetica, sans-serif">The MIME header vulnerability test
    has just been
    performed on your computer. Opening this mail
    automatically activates the test. </font></p>


    <font face="Arial, Helvetica, sans-serif">* If you can see gfi-test.txt</font></p>


    <font face="Arial, Helvetica, sans-serif">If the text file gfi-test.txt appears
    on your
    desktop, then you are vulnerable to attack from
    email viruses which use the MIME exploit. An
    example of this is Nimda, the fast-spreading
    virus that can run without user intervention. </font></p>


    <font face="Arial, Helvetica, sans-serif">The MIME exploit makes use of a
    malformed MIME
    header and an IFRAME tag to trick Outlook Express
    into running the attached VBS file: The VBS file
    is automatically executed upon opening the email,
    making this exploit very dangerous if combined with
    virulent code. </font></p>


    <font face="Arial, Helvetica, sans-serif">The text file, gfi-test.txt, has
    read vital
    information about your system, showing you that,
    in fact, it could have done anything it wanted on
    your system had it contained harmful code. (Note
    that the file in this test does not do anything
    malicious; it is just an example of a file which
    should be blocked at server level.)</font></p>


    <font face="Arial, Helvetica, sans-serif">* If you cannot see gfi-test.txt</font></p>


    <font face="Arial, Helvetica, sans-serif">If you are cannot see the file,
    this means you have
    effective client-based email security. Note that, for
    your network to be secure, every machine on your
    network must have such client-based protection
    installed, including your servers. Server level
    security is recommended as additional protection. </font></p>


    <font face="Arial, Helvetica, sans-serif">* For more information</font></p>


    <font face="Arial, Helvetica, sans-serif">For an in-depth explanation of
    this vulnerability and
    why virus scanning is not enough, check out our white
    papers, "Protecting your network against email threats:
    How to block email viruses and attacks" and "Why
    anti-virus software is not enough: The urgent need
    for server-based email content checking", at
    http://www.gfi.com/me/mespapers.htm. </font></p>


    <font face="Arial, Helvetica, sans-serif">* For server level protection</font></p>


    <font face="Arial, Helvetica, sans-serif">For effective protection, consider
    Mail essentials for
    Exchange/SMTP, GFI's email content checking and anti-virus
    gateway that defends your system against all current and
    future email-borne threats. For more information, visit
    http://www.gfi.com/mes/

    For sales questions, please email sales@gfi.com</font></p>


    <font face="Arial, Helvetica, sans-serif">Thank you.</font></p>


    <font face="Arial, Helvetica, sans-serif">Kind regards,</font></p>


    <font face="Arial, Helvetica, sans-serif">GFI
    </font></p>
    </DIV>
    </FONT></font>
    </BODY></HTML>
    __________________________

    Of note, it looks like the BadTrans infection uses the same method of "attaching" something inside the HTML -- so Outlook 98 (and apparently only Outlook 98) does not show this as an attachment.

Posting Permissions

  • You may not post new threads
  • You may not post replies
  • You may not post attachments
  • You may not edit your posts
  •