Mailing List Archive

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From quinlan@pathname.com 2004-03-06 17:50 -------
> since, as far as we've been able to tell, only apple mail seems to
> display message/* attachments inline with the actual message, I'd say we should
> stop including those parts.

Well, we don't really render message/* attachments at all like Apple Mail.
Apple Mail treats them like a message, not like a text attachment.

My concern with doing nothing with them is that spammers could EASILY start
sending mail that says "Subject: forwarded message", includes a forwarded
message that we entirely skipped, and then someone has to open the attachment
to see ... a spam.

I know we usually try to closely simulate the rendering behavior of common
MUAs, but I think we need to also think about easy exploits like this one.
So, while Apple Mail does the wrong thing, I think it is (well, would be)
the right thing for us to render message attachments like Apple Mail.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From j.houwing@student.utwente.nl 2004-03-06 18:19 -------
Thunderbird and Mozilla mail have the option to show attachments inline. I
always have it on.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From felicity@kluge.net 2004-03-06 22:05 -------
ok, committed code to parse message/* parts into a subtree.

r7037



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From quinlan@pathname.com 2004-03-06 22:13 -------
Jesse,

Can you do two things for us?

1. Figure out which headers from message/rfc822 Mozilla displays inline by
default when the option is turned on (To, Cc, From, Subject, Date, ... ?)
2. paste one screen shot of such a message (perhaps one with some HTML in the
inner message)

Likewise, if any Apple Mail users are watching, the same two things would be
helpful. Thanks.




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From felicity@kluge.net 2004-03-06 22:25 -------
Subject: Re: non-text part inside of forwarded message included in "body"

On Sat, Mar 06, 2004 at 10:13:02PM -0800, bugzilla-daemon@bugzilla.spamassassin.org wrote:
> 1. Figure out which headers from message/rfc822 Mozilla displays inline by
> default when the option is turned on (To, Cc, From, Subject, Date, ... ?)
> 2. paste one screen shot of such a message (perhaps one with some HTML in the
> inner message)
>
> Likewise, if any Apple Mail users are watching, the same two things would be
> helpful. Thanks.

Since you asked... :)

Apple Mail shows the normal message, then "From", "Date", "To", and
"Subject" of the attached message, then strangely, the full attached
message as plain text.

Will attach a PDF of the basics shortly.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From felicity@kluge.net 2004-03-06 22:27 -------
Created an attachment (id=1818)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=1818&action=view)
apple mail window showing what gets displayed




------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From j.houwing@student.utwente.nl 2004-03-07 06:04 -------
Created an attachment (id=1819)
--> (http://bugzilla.spamassassin.org/attachment.cgi?id=1819&action=view)
Thunderbird screenshot (0.5)

Thunderbird shows the following inline:

Subject: Re: Yahoogroups Spamassassin rules
From: removed <removed@utwente.nl>
Date: Tue, 02 Mar 2004 11:31:02 +0100
To: "Jesse Houwing" <removed@removed.utwente.nl>



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From j.houwing@student.utwente.nl 2004-03-07 06:07 -------
Thunderbird will show parts that are renderable by plugins or images directly.
Other parts I'd still have to check, but I don't think they'll be included as
plain text.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From j.houwing@student.utwente.nl 2004-03-07 06:17 -------
Seems they have fixed this in thunderbird. just tried the test message, but it
works as expected. I'm sure I've seen it happen.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From j.houwing@student.utwente.nl 2004-03-07 06:29 -------
Seems they have fixed this in thunderbird. just tried the test message, but it
works as expected. I'm sure I've seen it happen.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From jm@jmason.org 2004-03-07 20:15 -------
Subject: Re: non-text part inside of forwarded message included in "body"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>imo, we either need to accept this possibility, or stop including
>message/* parts. since, as far as we've been able to tell, only apple
>mail seems to display message/* attachments inline with the actual
>message, I'd say we should stop including those parts.

+1 -- agreed with you here.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAS/NWQTcbUG5Y7woRAkbnAJ9RFCuIxRndU5zZHLDR0BQELHqN0QCeL/aW
xF+asDSHQoZt+Y+38SP9xuM=
=TD1i
-----END PGP SIGNATURE-----





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From jm@jmason.org 2004-03-07 20:19 -------
Subject: Re: non-text part inside of forwarded message included in "body"

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1


>My concern with doing nothing with them is that spammers could EASILY start
>sending mail that says "Subject: forwarded message", includes a forwarded
>message that we entirely skipped, and then someone has to open the attachment
>to see ... a spam.

IMO, they could do the same with a HTML document in a password-protected
ZIP file. So I'm -1 about this idea.

- --j.
-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.4 (GNU/Linux)
Comment: Exmh CVS

iD8DBQFAS/RIQTcbUG5Y7woRAuUNAKDKVUPW8Ej+UO3+Mv8gDVEnH6/Q6wCgmt02
llPNTCdWeswLXLJKIBFmHUA=
=90Lu
-----END PGP SIGNATURE-----





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From quinlan@pathname.com 2004-03-07 20:39 -------
Subject: Re: non-text part inside of forwarded message included in "body"

> IMO, they could do the same with a HTML document in a password-protected
> ZIP file. So I'm -1 about this idea.

There's a significant gap between ZIP files (especially
password-protected ones) and forwarded messages. The latter looks much
more innocent, is well-supported everywhere, and is even displayed
inline (either by default or through an option) in some MUAs like Apple
Mail and Mozilla.

Bear in mind we've always been rendering text/message parts up through
2.64, just not especially gracefully. Ignoring them would create a
gaping wide hole.

Daniel





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From felicity@kluge.net 2004-03-08 12:40 -------
fyi for apple mail... it will display the message/rfc822 inline -- but it doesn't decode it. so in my case I
sent a multipart message to myself, with the first part being message/rfc822 w/ base64 encoding
(preserving headers as it passes between MTAs). Apple Mail happily shows me the attachment and the
base64 encoded strings.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From quinlan@pathname.com 2004-03-12 23:01 -------
> base64 encoded strings

Hmmm... we definitely don't want to run tests on base64-encoded strings.
Recursively decoding the internals of message/rfc822 is probably the way
to go if we're not doing that already.





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069





------- Additional Comments From felicity@kluge.net 2004-03-13 07:35 -------
yeah, I don't want to mimic the apple mail behavior. the parser makes a subtree
out of message/rfc822 parts, then they're handled in the same was as everything
else, so no problems there.



------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.

http://bugzilla.spamassassin.org/show_bug.cgi?id=3069

jm@jmason.org changed:

What |Removed |Added
----------------------------------------------------------------------------
OtherBugsDependingO| |3208
nThis| |





------- You are receiving this mail because: -------
You are the assignee for the bug, or are watching the assignee.