[spambayes-dev] Re: [Spambayes] Re: mboxtrain croaks on spam mbox file

Skip Montanaro skip at pobox.com
Thu Sep 18 16:52:42 EDT 2003 

(Redirecting to spambayes-dev.)

    Drew> Anyway, after running mboxtrain on all these baby MH's, I finally
    Drew> found the culprit, #1688:

    ...

Thanks.  That's enough to begin tracking down the error, though I'm not the
best geek for the job.  Here's what I see so far.  The problem appears when
trying to decode the Content-Disposition header of the attachment.  I know
nothing about MIME email, so all I've been able to do is follow my nose to
see where it leads.

In email.Message.Message, the get_filename() method calls get_param(), which
calls _get_params_preserve, which calls get() to grab the raw header
contents, which is

    attachment; filename*1="eicar."; filename*2="com"

It then splits that into

    [('attachment',''), ('filename*1','"eicar."'), ('filename*2','"com"')]

and passes this to email.Utils.decode_params().  That's as far as I went,
because the docstring didn't seem to match what was being passed in:

    params is a sequence of 2-tuples containing (content type, string
    value).

and doesn't say anything about what's supposed to be returned.

I can't believe the first elements of those tuples can be considered
"content type" values in the usual MIME sense.  I suspect
email.Utils.decode_params() is either being called incorrectly and thus
returning garbage or isn't described properly in its docstring.  In this
case it returns

    [('attachment', ''), ('filename', (None, None, '"eicar.com"'))]

Skip

    Drew> ,----
    Drew> | From nobody Thu Aug  7 09:55:57 2003
    Drew> | Return-Path: <nobody at example.com>
    Drew> | X-Gnus-Mail-Source: maildir:~/Maildir/inbox/new
    Drew> | Message-ID: <l6v7k5q55sj.fsf at totally-fudged-out-message-id>
    Drew> | Delivered-To: aar at williams.mc.vanderbilt.edu
    Drew> | Received: (qmail 24184 invoked by alias); 7 Aug 2003 06:35:45 -0000
    Drew> | Delivered-To: postmaster at williams.mc.vanderbilt.edu
    Drew> | Received: (qmail 24126 invoked from network); 7 Aug 2003 06:35:44 -0000
    Drew> | Received: from unknown (HELO nessus) (160.129.223.39)
    Drew> |   by williams.mc.vanderbilt.edu with SMTP; 7 Aug 2003 06:35:44 -0000
    Drew> | From: nobody at example.com
    Drew> | To: postmaster@[160.129.208.222]
    Drew> | Organization: Nessus kabale
    Drew> | MIME-Version: 1.0
    Drew> | Subject: Nessus antivirus test 3: alternative base64 attachment
    Drew> | Content-Type: multipart/mixed; boundary="=-=-="
    Drew> | Xref: williams spam-archive-1:1689
    Drew> | Lines: 13
    Drew> | X-Gnus-Article-Number: 1689   Mon Aug 11 11:08:05 2003
    Drew> | 
    Drew> | 
    Drew> | --=-=-=
    Drew> | 
    Drew> | If you can read or execute the attachment, this means that you do not
    Drew> | have an antivirus, or that it was disabled.
    Drew> | 
    Drew> | --=-=-=
    Drew> | Content-Type: application/octet-stream
    Drew> | Content-Disposition: attachment; filename*1="eicar."; filename*2="com"
    Drew> | Content-Description: EICAR test file
    Drew> | 
    Drew> | X5O!P%@AP[4\PZX54(P^)7CC)7}$EICAR-STANDARD-ANTIVIRUS-TEST-FILE!$H+H*
    Drew> | --=-=-=--
    Drew> `----

More information about the spambayes-dev mailing list