Yahoo and "Filename contains lots of white space" rule
Ricky Boone
ricky.boone at gmail.com
Wed Jan 20 14:42:15 UTC 2021
Thanks, that was what I thought. The examples I'm seeing do not include
TAB characters after the break in the file name. They all start with a LF
control character, then a series of space characters (0x20), then the rest
of the file name. The amount of spaces seems to be variable. I'm finding
some that go above 20, some that are around 10... I can't discern a
pattern, and I can't fully prove that this is Yahoo that is doing it,
though it would seem odd to have that many senders doing the same thing on
their own in this way. I don't think this is a MailScanner issue, just
that a rule in MailScanner is potentially exposing RFC breaking behavior.
I do see another commonality, and that is the X-Mailer header containing
the following information (or similar):
X-Mailer: WebService/1.1.17501 YahooMailIosMobile Yahoo%20Mail/52372
CFNetwork/1209 Darwin/20.2.0
Every single example that I've seen so far indicates that these are being
sent potentially from the same type of email client (with some variations
on version strings, etc.). If I have time I'll see if there are any non @
yahoo.com examples that might indicate a commonality (iOS/macOS, etc.).
On Tue, Jan 19, 2021 at 5:48 PM Mark Sapiro <mark at msapiro.net> wrote:
> On 1/19/21 1:58 PM, Ricky Boone wrote:
> > Hello everyone,
> >
> > I was seeing a disproportionate number of messages from legitimate
> > @yahoo.com <http://yahoo.com> senders hitting our environment that, when
> > they have an attachment with a long name with spaces, they hit the
> > "Filename contains lots of white space" rule in filename.rules.conf.
> > Upon deeper inspection, it appears it may be something with Yahoo and
> > how they handle spaces when generating the Content-Disposition header in
> > the message. In most cases, when the file name went past a certain
> > number of characters, it was wrapped to the next line, but with 5-10
> > blank characters padded to it.
>
>
> See <https://www.rfc-editor.org/rfc/rfc5322.html#section-2.2.3>
>
> Note that the filename= parameter in a Content-Disposition is a
> structured field and should not be folded - try telling Yahoo that.
>
> Are you saying that Yahoo is folding by inserting more than just a CRLF,
> i.e. a CRLF and a TAB or multiple spaces. In that case, Yahoo is again
> non-conformant.
>
> However, none of that is helpful to you. There may be a MailScanner
> issue if Yahoo is folding by inserting CRLF TAB and MailScanner is
> considering the TAB to be multiple spaces. Is that the case?
>
> --
> Mark Sapiro <mark at msapiro.net> The highway is for gamblers,
> San Francisco Bay Area, California better use your sense - B. Dylan
>
>
> --
> MailScanner mailing list
> mailscanner at lists.mailscanner.info
> http://lists.mailscanner.info/mailman/listinfo/mailscanner
>
>
-------------- next part --------------
An HTML attachment was scrubbed...
URL: <http://lists.mailscanner.info/pipermail/mailscanner/attachments/20210120/24cafe8f/attachment.html>
More information about the MailScanner
mailing list