Re: oe6 reading mail showing as html raw source?

From: Bill Kearney (wkearney99_at_hotmail.com)
Date: 08/20/04 

Date: Fri, 20 Aug 2004 14:35:19 -0400

> Are you running Ad-aware SE? Spybot v1.3? Do you seek updates for each
> tool before you use it, every time? Both have new updates: Ad-aware on 16
> Aug-04 and Spybot today (20 Aug-04).

Well, as updated as was possible as of 9pm last night.

> Have you re-configured Ad-aware for a full scan as per
> http://aumha.org/forum/viewtopic.php?t=5877?
>
> Did you run all of the tools in Safe Mode, with 'Show Hidden Files'
enabled,
> and in this order?...
>
> CWShredder, Ad-aware, Spybot, HijackThis

Yep, followed them in order.

> Have you posted your HT log to a recommended forum and gotten the 'all
> clear' from an expert there?

Not as yet. You can imagine I'm loathe to expose this situation to yet
another 'band of experts'. It's gobbled up way too much time already
confirming what it's NOT to people who sometimes appear to know less about
this than I already do. Such is the price paid of course.

> Judging from everything you've posted here, Bill, I have little doubt that
> the Windows Profile is damaged, not OE or any identities, and, barring
> anything you've not yet revealed here, the damage has most likely been
> caused by malware.

I'm not so quick to go blaming it on malware. Other than the cookies I get
nothing tripped on any of my log reports. I've even gone so far as to put
write protected directories in the common places programs like Comet Cursor
want to try using (heh, they can't run if they can't even install). So it's
not like I'm unaware of the risks, how to prevent them and how to deal with
fixing them.

I do, however, appreciate that it's not always obvious that folks on the
other end of the wire have the ability to do what's required.

> While you may be quite an experienced computer user, if
> that experience does not include interpreting hundreds of HijackThis logs
> accurately you cannot state with any certainty that the Profile is
> malware-free without getting the 'all clear' from one of the pros who post
> to HT log-specific forums. See "our" sub-thread here.

I can certainly appreciate that opinion. I respectfully disagree about
"pros" and "all clear" sentiments.

> Bill, you post using a Hotmail address. None of this is occurring in
> messages received by an MSN/Hotmail account, correct?

Were I retreiving them directly from Hotmail I suppose that might be a
question to answer. I don't. All mail is pulled into an IMAP box. Hotmail
is pulled via the quite handy little tool known as hotwayd. Thus all mail
is pulled via IMAP and, as I've already checked and double-checked, the mail
in the server's mailboxes are quite normal and work perfectly using another
account with it's identity configured with the same mail server settings.

I've long used hotmail for usenet postings because of it's reasonably
reliable spam filtering. It's a good throwaway address but one that
actually works with out all the user@removethis.whatever games. Being that
I can pull it via cron controlled fetchmail jobs and further process it with
spamassassin makes it painless.

> Have you considered creating a new Profile/Log-on, moving the old
Profile's
> data to it and then deleting the latter?

Yeah, it's the "moving the old Profile's data" that's SUCH a pain in the
ass.

> Did you upgrade to WinXP (?) from an earlier Windows version? Which one?

Nope, as I stated at the outset this is a Windows 2000 box with sp4 on it.
It has, however, had a long history as it started at w2ksp1 and IE55 and has
probably suffered at the hands of quite a few of the hotfixes along the way.
Trouble is the profile in question is THE ONE that I use most heavily and
there's a metric-assload of things that have configured themselves to work
within it's various registry entries. Picking this apart and moving it to
another profile (something I've done before) is just not something I have
much desire to perform.

Riddle me this, is there a tool like the unix 'diff' for registry trees?
One that I could point to a particular point of the tree and compare against
something else? The trick would then be to know 'where' in the trees to
make the comparisions.

What "looks like" is going on here is that when OE pulls up a message it
uses the IE control to show it. That control is, apparently, being fed from
normal data and is being transcoded into HTML improperly. That is, either
OE or the IE control is looking at the data and 'deciding' it needs to be
pushed through some sort of HTML parsing or converting stage prior to
display. I've wrestled with code that harnesses the IE control and it's not
always an easy process. But, near as I can tell, it's in that stage that
the process fails.

What's further intriguing is the way Reply and/or Forward are concerned.
The data that gets pushed to the new reply/forward form is encoded HTML.
That is, it has been pulled up from disk, converted to HTML and then
transcoded into encoded HTML. Going from "text-(linebreak)-text" into
"text-<BR>-text" and then further bastardized into "text-&lt;BR&gt;-text".
I've done plenty of XML and HTML programming and this is a clear sign that
some parser is being overzealous or called incorrectly. We see this all the
time in XML documents that incorrectly double-encode things (like &copy; as
&amp;copy;).

It would be interesting to hear from an OE developer directly as to how OE
pumps it's data into the IE control.

-Bill Kearney