Bug 3350 - Recognize plain/text as a textual attachment
Summary: Recognize plain/text as a textual attachment
Status: RESOLVED WORKSFORME
Alias: None
Product: Spamassassin
Classification: Unclassified
Component: spamassassin (show other bugs)
Version: 2.63
Hardware: All All
: P5 trivial
Target Milestone: Future
Assignee: SpamAssassin Developer Mailing List
URL:
Whiteboard:
Keywords:
Depends on:
Blocks:
 
Reported: 2004-05-04 14:04 UTC by Mikko Noromaa
Modified: 2005-05-10 11:42 UTC (History)
0 users


Attachment Type Modified Status Actions Submitter/CLA Status
Email showing the use of plain/text by Norton Antivirus text/plain None Mikko Noromaa [NoCLA]
Add an attachment (proposed patch, testcase, etc.)

Note You need to log in before you can comment on or make changes to this bug.
Description Mikko Noromaa 2004-05-04 14:04:22 UTC 
SpamAssassin should recognize some incorrect Content-Type's as textual. For 
example, Norton AntiVirus 10.0.1.13 replaces virus attachments with its own 
attachment that has a Content-Type of "plain/text". This makes it impossible 
to write any rules that catch these mails.

The fix can be done by changing PerMsgStatus.pm line 1016 from:

if ($ctype =~ /^(text\/\S+|message\/
\S+|multipart\/alternative|multipart\/related)/i)

to:

if ($ctype =~ /^(text\/\S+|plain\/text|message\/
\S+|multipart\/alternative|multipart\/related)/i)
Comment 1 Mikko Noromaa 2004-05-04 14:06:00 UTC 
Created attachment 1939 [details]
Email showing the use of plain/text by Norton Antivirus
Comment 2 Daniel Quinlan 2004-05-04 14:07:13 UTC 
Subject: Re:  New: Recognize plain/text as a textual attachment

I'll need you to attach an example email to have any idea of what you're
talking about.  Please use the attachment link on the bug page, please
don't cut and paste or email the example.
Comment 3 Daniel Quinlan 2004-05-04 14:07:36 UTC 
Subject: Re:  Recognize plain/text as a textual attachment

thanks
Comment 4 Mikko Noromaa 2004-05-04 14:08:34 UTC 
In the meantime, the following rule can be used to filter virus notifications 
from Norton Antivirus:

rawbody VIRUS_WARNING_NAV /\[skipped plain\/text attachment\]/

Of course, this rule matches any mail with this incorrect Content-Type.
Comment 5 Michael Bell 2004-09-01 12:15:04 UTC 
Now why Norton does that is beyond me

1. nitpicky: It's illegal. I'm assuming they haven't registered that mime type, 
so expecting anyone to recognize it is silly
2. the meat:e one assumes that in fact they don't want anyone to recognize 
this, that they've somehow "defanged" it. But IIRC, the DEFAULT treatment of an 
unrecognized mime type is to treat it as text/plain! So it's worthless
Comment 6 Theo Van Dinter 2004-09-01 12:33:05 UTC 
A few things.

1) If standard MUAs deal with "plain/text", we should figure out something.

2) The RFC (1521) specifically states:

   When a mail reader encounters mail with an unknown Content-type
   value, it should generally treat it as equivalent to
   "application/octet-stream", as described later in this document.
[...]
Appendix A
[...]
      5.  Upon encountering any unrecognized Content- Type, an
      implementation must treat it as if it had a Content-Type of
      "application/octet-stream" with no parameter sub-arguments.  How
      such data are handled is up to an implementation, but likely
      options for handling such unrecognized data include offering the
      user to write it into a file (decoded from its mail transport
      format) or offering the user to name a program to which the
      decoded data should be passed as input.  Unrecognized predefined
      types, which in a MIME-conformant mailer might still include
      audio, image, or video, should also be treated in this way.

   A user agent that meets the above conditions is said to be MIME-
   conformant.

3) I've searched the hundreds of thousands of messages in my corpus area.  0 ham hits, 2 spam hits, 
which upon review are actually Norton bounce messages from joe-jobbed worm mails.

I don't think this is an issue for us.  Either the Norton folks should change to using text/plain, or by 
RFC we are supposed to treat their MIME part as a binary.


I vote for closing WFM.

BTW: if you want to catch these messages, you can write a simple plugin for 3.0 which looks for parts 
that have a "plain/text" content-type, it would be about 1 line of actual code. :)
Comment 7 Daniel Quinlan 2005-03-30 01:08:19 UTC 
move bug to Future milestone (previously set to Future -- I hope)
Comment 8 Justin Mason 2005-05-10 19:42:54 UTC 
Outlook: presents the message's text as a ".dat" attachment, instead of
presenting it inline.

marking WORKSFORME.