Posts Tagged ‘email’

Sending Apple Watch specific content

Tuesday, July 2nd, 2019

There are two main content types used in all HTML emails: text/plain and text/html MIME types.

You should always include a plain text version of your email that closely matches to the HTML version of your email. Mail.dll will generate (extract) plain text automatically, if you provide HTML text only.

Usually Apple watch displays only the plain text part of your email. In most cases it considers the HTML too complicated (e.g. external images are referenced), so it shows the plain text version instead.

External image is an image that isn’t embedded in the email, using cid: protocol, but loaded from a remote HTTP server using a standard <img src=’…’ /> tag.

You can use ‘text/watch-html’ type to send a limited HTML version of your message to Apple Watch users, resulting in rich text-like messages on Apple Watch devices.

Here’s how to create and add such MIME entity using Mail.dll:

MailBuilder builder = new MailBuilder();
builder.Subject = "Apple Watch Example";
builder.From.Add(new MailBox("alice@example.com"));
builder.To.Add(new MailBox("bob@example.com"));

builder.Html = "This is <strong>HTML<strong> text.";
builder.Text = "Plain text.";

MimeText appleWatchText = new MimeFactory().CreateMimeText();
appleWatchText.ContentType = ContentType.Parse("text/watch-html");
appleWatchText.Text = "This is <strong>Watch HTML<strong> text.";

builder.Alternatives.Add(appleWatchText);

IMail mail = builder.Create();

Please have in mind that apple watch supports limited version of HTML only.

Using the above code will create an email with following content:

Content-Type: multipart/alternative;
 boundary="----=_NextPart_19511516.440335455040"
MIME-Version: 1.0
Date: Tue, 02 Jul 2019 15:38:53 +0200
Message-ID: <d65fcc07-c988-48e1-a466-166e18998d02@mail.dll>
Subject: Apple Watch Example
From: <alice@example.com>
To: <bob@example.com>

------=_NextPart_19511516.440335455040
Content-Type: text/plain;
 charset="utf-8"
Content-Transfer-Encoding: 7bit

Plain text.
------=_NextPart_19511516.440335455040
Content-Type: text/html;
 charset="utf-8"
Content-Transfer-Encoding: 7bit

This is <strong>HTML<strong> text.
------=_NextPart_19511516.440335455040
Content-Type: text/watch-html;
 charset="utf-8"
Content-Transfer-Encoding: 7bit

This is <strong>Watch HTML<strong> text.
------=_NextPart_19511516.440335455040--

Entire sample, including sending process:

MailBuilder builder = new MailBuilder();
builder.Subject = "Apple Watch Example";
builder.From.Add(new MailBox("alice@example.com"));
builder.To.Add(new MailBox("bob@example.com"));

builder.Text = "Plain text";
builder.Html = "This is <strong>HTML<strong> text.";

MimeText appleWatchText = new MimeFactory().CreateMimeText();
appleWatchText.ContentType = ContentType.Parse("text/watch-html");
appleWatchText.Text = "This is <strong>Watch HTML<strong> text.";

builder.Alternatives.Add(appleWatchText);

IMail mail = builder.Create();

// Send the message
using (Smtp smtp = new Smtp())
{
    smtp.Connect("server.example.com");   // or ConnectSSL for SSL
    smtp.UseBestLogin("user", "password"); // remove if not needed

    smtp.SendMessage(mail);

    smtp.Close();
}

Mail.dll is not affected by Mailsploit

Tuesday, December 5th, 2017

The Mailsploit vulnerability stems from how email servers/clients interpret email addresses containing encoded words. Incorrectly handling those, could allow an attacker to spoof email identities.

Recent specs (RFC-2822 and RFC-5322) don’t allow using encoded-words for email addresses (addr-spec):

3.4. Address Specification:
address = mailbox / group
mailbox = name-addr / addr-spec
name-addr = [display-name] angle-addr
angle-addr = [CFWS] “<" addr-spec ">” [CFWS] / obs-angle-addr
display-name = phrase

Here are the unit test that show how Mail.dll behaves when such malicious emails are parsed. Please note that encoded-words are not decoded when part of email address.

[Test]
public void Test1()
{
    string eml = @"From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.Headers["From"]);

    Assert.AreEqual(
        "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.From[0].Address);                                      // Correct

    Assert.AreEqual(
        null, 
        mail.From[0].Name);                                         // Correct
}
[Test]
public void Test2()
{
    string eml = @"From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        "=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=", 
        mail.Headers["From"]);

    Assert.AreEqual(
        null, 
        mail.From[0].Address);                // Correct

    Assert.AreEqual(
        "potus@whitehouse.gov", 
        mail.From[0].Name);      // Correct - this is correct behavior, 
                                 // sender can put anything in the name field.
}
[Test]
public void Test3()
{
    string eml = @"From: =?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" 
        + @"=?utf-8?Q?=00?=" 
        + @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" 
        + @"=?utf-8?Q?=00?=" 
        + @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.Headers["From"]);

    Assert.AreEqual(
        @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=" 
        + @"=?utf-8?Q?=00?=" 
        + @"=?utf-8?b?cG90dXNAd2hpdGVob3VzZS5nb3Y=?=@example.com", 
        mail.From[0].Address);            // Correct

    Assert.AreEqual(
        null, 
        mail.From[0].Name);               // Correct
}

Mail.dll allows anything in the name part of the address headers:

[Test]

public void Test4()
{
    string eml = @"From: =?utf-8?Q?=42=45=47=49=4E=20=2F"
        + @"=20=20=2F=20=00=20=50=41=53=53=45=44" 
        + @"=20=4E=55=4C=4C=20=42=59=54=45=20=2F=20=0D=0A" 
        + @"=20=50=41=53=53=45=44=20=43=52" 
        + @"=4C=46=20=2F=20=45=4E=44?= <test@example.com>

Body";

    IMail mail = new MailBuilder().CreateFromEmlASCII(eml);

    Assert.AreEqual(
        "test@example.com", 
        mail.From[0].Address);

    Assert.AreEqual(
        "BEGIN /  / \0 PASSED NULL BYTE / \r\n PASSED CRLF / END", 
        mail.From[0].Name); 

    // Note the \r\n (new line) and \0 (null) characters
}

Specification allow using encoded-words in the name (RFC2047 – 5. Use of encoded-words in message headers. (3) )
Encoded words are used to encode non-ASCII characters, for example national characters like umlauts (ä, ö, ü).

RFC2047 imposes no restrictions what characters can be encoded, which means that zero byte (\0) and new lines (\r\n) are valid characters.

Client applications must ensure that such special charters don’t ‘push’ the actual email address (“”test@example.com”) outside of control, in such way, that it becomes not visible.
It is crucial for them to display the email address (test@example.com) no matter what is in the name field.