[Bug 8217] New: SpamAssassin can add UTF8 characters in mail headers

[bugzilla-daemon]

https://bz.apache.org/SpamAssassin/show_bug.cgi?id=8217

            Bug ID: 8217
           Summary: SpamAssassin can add UTF8 characters in mail headers
           Product: Spamassassin
           Version: 3.4.6
          Hardware: All
                OS: Linux
            Status: NEW
          Severity: normal
          Priority: P2
         Component: spamassassin
          Assignee: dev@spamassassin.apache.org
          Reporter: s...@webpros.com
  Target Milestone: Undefined

If an email message is sent that contains UTF8 characters, the Content preview
can add it to the headers of the message, preventing the email from being
processed.

SMTP error from remote mail server after end of data:
550 5.6.0 Message blocked due to illegal UTF-8 header encoding

Create a message.txt file with the Ä character in the body:

--- 
MIME-Version: 1.0
Date: Tue, 20 Feb 2024 15:03:28 +0000
From: t...@domain.tld
To: t...@domain.tld
Subject: NOK
User-Agent: Roundcube Webmail/1.6.0
Message-ID: <4a9986554b9ab439c6b9e103ac311...@domain.tld>
X-Sender: t...@domain.tld
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit

Ä
---

spamassassin -t < message.txt 
X-Spam-Checker-Version: SpamAssassin 3.4.6 (2021-04-09) on server.cptest.tld
X-Spam-Level: **
X-Spam-Status: No, score=3.0 required=5.0 tests=BODY_SINGLE_WORD,
        DKIM_ADSP_NXDOMAIN,KAM_DMARC_STATUS,PYZOR_CHECK,SCC_BODY_SINGLE_WORD,
        T_SCC_BODY_TEXT_LINE shortcircuit=no autolearn=no autolearn_force=no
        version=3.4.6
MIME-Version: 1.0
Date: Tue, 20 Feb 2024 15:03:28 +0000
From: t...@domain.tld
To: t...@domain.tld
Subject: NOK
User-Agent: Roundcube Webmail/1.6.0
Message-ID: <4a9986554b9ab439c6b9e103ac311...@domain.tld>
X-Sender: t...@domain.tld
Content-Type: text/plain; charset=UTF-8;
 format=flowed
Content-Transfer-Encoding: 8bit

Ä
Spam detection software, running on the system "server.cptest.tld",
has NOT identified this incoming email as spam.  The original
message has been attached to this so you can view it or label
similar future email.  If you have any questions, see
root\@localhost for details.

Content preview:  Ä 

Content analysis details:   (3.0 points, 5.0 required)

 pts rule name              description
---- ---------------------- --------------------------------------------------
 0.8 DKIM_ADSP_NXDOMAIN     No valid author signature and domain not in
                            DNS
 2.0 PYZOR_CHECK            Listed in Pyzor
                            (https://pyzor.readthedocs.io/en/latest/)
 0.0 KAM_DMARC_STATUS       Test Rule for DKIM or SPF Failure with Strict
                            Alignment
-0.0 T_SCC_BODY_TEXT_LINE   No description available.
 0.0 SCC_BODY_SINGLE_WORD   Message body seems like one word
 0.2 BODY_SINGLE_WORD       Message body is only one word (no spaces)


Note that Content preview: Ä is shown, which is invalid for email headers
(RFC6532?)

https://datatracker.ietf.org/doc/html/rfc6532#section-3.2

This will cause MTAs to fail with errors similar to the following

    SMTP error from remote mail server after end of data:
    550 5.6.0 Message blocked due to illegal UTF-8 header encoding

-- 
You are receiving this mail because:
You are the assignee for the bug.