Decoded TNEFs get detected as COM executables

Thomas Jarosch thomas.jarosch at
Tue Jul 19 11:19:01 CEST 2011


I recently upgraded the "file" utility to version 5.07.

Since then I get a lot of false positives on winmail.dat attachments:
The attachment "attributes" get detected as COM executables.

I'm wondering why do_tnef() writes out the attachment attributes
in the first place? Currently I'm testing this little patch:

--- amavisd.before      2011-07-19 11:02:34.000000000 +0200
+++ amavisd     2011-07-19 11:04:03.874828428 +0200
@@ -23724,7 +23724,7 @@
   defined $tnef or die "Convert::TNEF failed: ".$Convert::TNEF::errstr;
   my($item_num) = 0; my($parent_placement) = $part->mime_placement;
   for my $a ($tnef->message, $tnef->attachments) {
-    for my $attr_name ('AttachData','Attachment') {
+    for my $attr_name ('AttachData') {
       my($dh) = $a->datahandle($attr_name);
       if (defined $dh) {
         my($newpart_obj)= Amavis::Unpackers::Part->new("$tempdir/parts",

No trouble so far. Mark, can you shed some light on this why it is needed?

I'll also send a sample of the "attribute data" to the file author,
maybe we can improve the detection.


More information about the amavis-users mailing list