Apple hides attachments in malformed multipart mail

Recently I got a PDF of a filk songbook which I had contributed to. More precisely, the email said I was getting it, but there was no sign of an attachment. I wrote back to the editor who’d sent it, and she insisted it was there. Digging it out of the message revealed to me a whole new way of messing up email formats.

A quick look at the message source showed that there really was an attachment with Content-Type of “application/pdf” which took up well over 90% of the message. The question was why Thunderbird didn’t show it to me.

A little experimentation and analysis revealed the answer. The best way for me to show it is to present a hierarchical list of the message parts.

  • multipart/alternative (whole message)
    • text/plain
    • multipart/mixed
      • multipart/related
        • text/html
        • image/jpeg
        • application/pdf

You see what’s happening? The PDF is attached not to the top level of the message, but to the HTML alternative version of the message. Normally I view my messages as plain text in Thunderbird. I don’t like fancy decorations, and I don’t like URLs hidden behind links. HTML mail is a designed-in security flaw, responsible for millions of clicks on malicious links by people who didn’t know what they actually linked to.

With that structure, the PDF isn’t a message attachment. It’s just a part of the HTML view. There’s no sense to this; it just punishes people for viewing mail as text.

This wasn’t the sender’s fault; she didn’t know her message would act that way. The X-Mailer line tells us whose fault it was.

X-Mailer: iCloud MailClient18CProject48

(I’ve redacted a long hex string from the mail server name which might give individually identifying information.) The headers show the message came from, which belongs to Apple. Everything is consistent with its having come from Apple’s iCloud mailing software.

I wouldn’t put it past Apple to make life deliberately difficult for people trying to view mail as plain text, but I’ll restrain myself and put Hanlon’s Razor (“Never attribute to malice what can be explained by stupidity”) ahead of McGath’s Law (“Paranoia is a virtue”).

While I was going back and forth between text and HTML views, I discovered another oddity. This one’s Thunderbird’s fault. When I viewed the JHOVE 1.20 announcement message as HTML (either original or simple), Thunderbird told me it might be a scam. When I viewed it as text, the same message wasn’t a scam. It’s Schrödinger’s Email.

Comments are closed.