Jan-Piet Mens

"Remote Forensic Software".

Mehr>

I've created six files with bogus extensions. The filename prefix denotes the actual content (text/plain, image/png and application/octet-stream), and I simply tacked on an extension for decoration.

What happens when I send off a message with all six files attached? Let me look at three e-mail clients I use regularly.

Lotus Notes 7.0.2 on Mac OS X displays the problem right after attaching the files. Note how the icons match the file extensions and not their content (remember: the file's content are the first three letters of the name, the rest is decorum):

Not a single one is right.

In Thunderbird version 2.0.0.6 we have a very similar situation after attaching the files:

All wrong again.

Mutt interprets the files with these content-types and gets none right. The reason is explained in the manual: Mutt consults the mime.types file to determine the type from the extension.

A  2 exe.jpg                 [image/jpeg, base64, 56K]
A  3 exe.txt   [text/plain, quoted, unknown-8bit, 56K]
A  4 png.jpg                [image/jpeg, base64, 133K]
A  5 png.txt  [text/plain, quoted, unknown-8bit, 133K]
A  6 txt.exe        [applica/x-msdos-pr, quoted, 0.1K]
A  7 txt.jpg                [image/jpeg, quoted, 0.1K]

Is it trivial to determine a file's content? Let me use the Unix file command and see.

$ file ???.???
exe.jpg: MS-DOS executable (EXE), OS/2 or MS Windows
exe.txt: MS-DOS executable (EXE), OS/2 or MS Windows
png.jpg: PNG image data, 500 x 778, 8-bit/color RGB, non-interlaced
png.txt: PNG image data, 500 x 778, 8-bit/color RGB, non-interlaced
txt.exe: ASCII text
txt.jpg: ASCII text

Yes, it is trivial.

I drove somebody crazy this morning by sending him this image found chez Volker.

My correspondent uses Lotus Notes and didn't see the image. I saw by his reply though, that he had actually received it, so I started digging a little.

I sent myself a similar message, following the steps as I'd done them before. In Mail.app I composed a new message

and addressed it to my Lotus Notes account. Upon opening the document in Notes, I see

nada. Zilch. Zip. Nothing. Niente. Nichts.

What is going on? The Notes view shows a message without the attachment indicator with a size of 140K, so that looks alright. The missing attachment indicator signalizes that the image is inline, which also appears to be correct, so why can't I see the image when i open the document?

Well, let me see what Lotus Domino Web Access, a.k.a. iNotes does:

Voila! There it is, so what is the problem? Accessing my Notes mail file via IMAP, I see that the attachment looks so:

o-xT07SCuVSk.jpg    [image/jpeg, base64, 179K]

What has happened?

Mail.app sent the message with a content-type of image/jpeg as the file extension suggests. Let me extract the file and check it

$ file o-xT07SCuVSk.jpg
o-xT07SCuVSk.jpg: PNG image data, 500 x 778, 8-bit/color RGB, non-interlaced

Whoops That file contains a PNG data stream, and not a JPEG image.

The Lotus client apparently checks the MIME content-type, but since it cannot decode the file as a JPEG stream, it just does nothing. I'd say iNotes didn't do anything to it at all, but just sent the whole thing down the pipe to the browser, which in the case of Firefox at least, was clever enough to do something with it, i.e. render the PNG image.

Interesting. The culprit here, IMHO is Mail.App which simply used the filename to determine the content type. The same holds true for Thunderbird and for one or two other programs I've tested.

Sloppy programming. On all sides. E-mail programs should check the file's content before setting any-old MIME content-type on send, and clients should verify content-types before attempting to display content.

Update: more pain.

Do you quickly need to look up HTML entities, you know, the things that look like ∗ (∗) ? The HTML Entity Character Lookup is the best of its kind and it is also available as a Dashboard Widget:

Alternatively, there are also cheat sheets you can print out

It was a long night but I managed to get the brunt of the synchronization working. I'll have to keep a close eye on things of course, as I've done quite a bit of re-design, but there is light at the end of the tunnel.

And then there are all the other little (or big) bits and pieces that need re-thinking, re-tooling and re-locating. It is quite extraordinary what an amount of utilities become vital in a productional environment, things that you only really remember when they stop working…

Once thing is certain: I can't say "next year we'll get organized". The time is now.

∗ The title of this posting is in honor of the IP address of the machine.

It is a refreshing change to be asked this question:

Can you handle MS-Word files, or would it be better to send you a plain text version?

My correspondent must be one of the fewest people who don't assume the Earth's population subscribes to Microsoft software.

My answer, you ask?

thanks for asking; I can handle them, but I would prefer plain
text.

I don't actually have Microsoft Word, but I can handle most documents fine.

Sehr professionell:

Zunächst dringen Beamte unbemerkt in die Wohnung ein und ermitteln, wie der Computer infiziert werden könnte. Bei einem zweiten Einbruch wird der maßgeschneiderte Trojaner installiert.

Mehr>

via.