t-prot - Man Page

TOFU Protection — Display Filter for RFC 5322 messages


t-prot [Options]...


This program is a filter to improve the readability of internet messages (emails and usenet posts) by *hiding* some annoying parts, e.g. mailing list footers, signatures, and TOFU (see definition below), as well as squeezing sequences of blank lines or punctuation. The program also detects TOFU or a high quoting ratio in a message (so you may take appropriate action, e.g. when submitting messages to a mailing list or a news server).
The filter is written in Perl and relies on input to be a single message conforming to RFC 822 or its successors, RFC 2822 and RFC 5322. In messages conforming to MIME (RFCs 2045-2049) t-prot handles text/plain parts, others are not touched.

Already reformatted messages are handled well: the script was initially designed to cope with the output of the MUA mutt (which is the reason for not using standard CPAN modules for handling messages).

T-prot offers example configuration files for mutt and its fork mutt-kz, Heirloom mailx and metamail. Also coming with the t-prot package is the example S-Lang macro t-prot.sl for using t-prot from within slrn. There is a proof-of-concept filter for INN2, which you will have to adapt to the needs of the news site you host. For use with sendmail's alias(5) file, please see below (the option -p provides an example line).


If you do not specify any options, t-prot does ... nothing. Every feature you want must be turned on explicitly. Admittedly, we have quite a number of options for t-prot. To limit confusion they are grouped into five sections: Input/Output Options, Advertisement And Mailing List Footers, Filtering Options, Detection Options, and Other Options. While the others should be quite clear, filtering and detection might deserve a word (or two).

If you want to tune the appearance of your mail from within your MUA (or news messages from within your NUA), then go for the Filtering Options section.

If you want to use t-prot to check on mails before they are submitted to mailing lists, fed to your news server, or delivered by your MDA, then have a peek at the Detection Options section. You may accept or reject/bounce messages depending on t-prot's result.

Input/Output Options


Defines an input file; default is '-' i.e. STDIN.


Defines the output file; default is STDOUT.


Input consists just of the message's body. There are no RFC 5322 header lines.

NOTE: This does not work with --pgp-short, and multipart messages will not be detected due to missing headers.


Allow insecure writing method. DO NOT USE UNLESS YOU REALLY KNOW WHAT YOU ARE DOING. (This ugly workaround is needed for some early mutt versions and should NEVER be used as a default, otherwise it will probably turn into a security issue.)

You can use this option safely to enable -o /dev/null (or other files which cannot be changed with the user's privileges).


Maximum number of lines a message may count (with headers). If the message is longer than x lines, the message will not be processed but printed unmodified. Exit status will be EX_DATAERR except when called with -Mmutt or -Mmutt-kz.

Filter Options


"shrink big quotes": Blocks of quotes with more than n lines will be shrunk to x lines. Defaults are 30 for n and 10 for x.


"compress": Squeezes a sequence of blank lines to just n blank lines. n defaults to 2.


Tolerate unified diff (see diff(1) and patch(1)) appended after the signature (which usually makes the signature too long to be valid).

Also, protect diff standard output from hiding (which would otherwise be easy prey for -t).


"ellipsis": Squeezes a sequence of four or more dots, exclamation marks, or question marks to only three dots or marks, respectively.


Fix broken quotes to adhere to RFC 3676 by removing spaces between quote characters and adding a space after them.
NOTE: This may produce false positives if spaces in between quote characters are intended (thus changing the quoting level, see RFC 3676 for details).


Hides TOFU as produced by Novell Groupwise.


"anti Kammquote": Tries (not too aggressively) to fix those broken zig-zag-shaped lines wrapped around by some MUAs which are known as "Kammquoting" in German.

NOTE: This option is considered stable by now. However, sometimes Kammquotes should have been removed but weren't. Please send a bug report if this happens to you (after carefully reading the Bugs and Reporting Bugs section of this man page, that is).

Please also note that enabling this option is quite a performance hit.


Minimum length difference between two lines for wrapped line detection on Kammquotes. For details, please see the source code.
Anyway, lower values make the algorithm more aggressive, higher values make Kammquotes harder to detect. Default is 20.

Requires -k.


Maximum line length for wrapped line detection on Kammquotes. For details, please see the source code.
Anyway, higher values make the algorithm more aggressive, lower values make Kammquotes harder to detect. Default is 80.

Requires -k.


Minimum line length for wrapped line detection on Kammquotes. For details, please see the source code.
Anyway, lower values make the algorithm more aggressive, higher values make Kammquotes harder to detect. Default is 65.

Requires -k.


Specify which locale to use for correct parsing of your MUA's formatting of the displayed message (usually it is the locale your MUA uses). Right now this option is only used when -Mmutt or -Mmutt-kz is specified, but this may change in future. You need the Perl module Locale::gettext for this feature.

NOTE: If you use mutt, mutt-kz or gnupg with locales, t-prot will only work correctly if you specify the corresponding locale string. Alternatively, you can use the environment variables LC_ALL, LC_MESSAGES, or LANG to specify the locale string.

NOTE also: You also have to make sure you are running t-prot with matching gnupg and mutt / mutt-kz versions. T-prot detects gnupg and mutt / mutt-kz locales of the recent stable versions of those programs, earlier versions might not work well with a recent version of t-prot.

-M,  --muaMUA

"mail user agent": Turn on special treatment for some mail user agents. (Right now only mutt(1) and mutt-kz(1) are supported, but more might be added in future.) Caveat: If your MUA is supported by this feature you must ensure t-prot makes use of it when called from within your MUA to work as desired.


"Microsoft TOFU": Hides TOFU as given by some Microsoft mailers. (You all surely know these fullquotes beginning with
"----- Original Message -----"
and some header lines...)


Burn CPU cycles trying to be smart with MS style TOFU: If there are PGP signed parts inside the TOFU, the text still might conceal other message parts and therefore should not be deleted.

Please note that this is probably just a waste of time because most MS Outlook users who do produce this kind of TOFU won't care about making their messages the least bit readable or even predictable. So this option will probably just be interesting for mutt message hooks (to activate it on demand when you know the sender tries to write legible messages).

Requires -Mmutt / -Mmutt-kz and -m.


Move PGP and SSL verification output to bottom; requires -Mmutt / -Mmutt-kz.


Move PGP and SSL verification output to bottom only if verification shows a good signature and the signature could be verified as authentic (using a trust path). If there is any problem with the signature, the PGP output should not be moved so the user is more likely to notice. Requires -Mmutt / -Mmutt-kz.

NOTE: If gpg is terminated before finished (e.g. hitting Ctrl-C, or using kill(1)), we cannot always detect if the check was interrupted. Though t-prot tries to be smart, there will be false positives.


Hide non-relevant PGP key uids; requires -Mmutt / -Mmutt-kz.


"rip header off": Hides all mail header lines.


Subject lines with multiple reply prefixes (Re: and translations into other languages) get squeezed to only one prefix.


"suppression of overlong signatures": Signatures are to be n lines (not including the one containing dash-dash-space) or less. If there are more, it is probably not that spirited after all. So with this option you trade it for a truely nice line.
If no n is given, default is 4. (We do not recommend using a value other than 4. Consider this old-fashioned, but we actually do *like* RFC conformance.)

NOTE: The line containing "-- " ist not counted when testing for an overlong signature, but it is included when displaying how many lines were deleted.


"signature deletion": Hides signatures, i.e. all lines after a "signature dashes" line, i.e. a line with three characters: dash-dash-space (no more, no less).


Sanitize headers "To:", "From:" and "Subject:": Quoted-printable gets fixed to the corresponding chars. German Umlauts are translated to their "ae", "oe", "ue" pendants.
Useful e.g. for searching by subject within MUAs like Berkeley mailx.


"maximum number of tolerated signatures": Here you can define how many signatures you accept to be treated as such. (Most significant behaviour is when microsoft style quotes are removed. Experts please see the code for the more subtle implications of this option.)
Leave empty or specify zero to have an unlimited number of sigs.  Default is 1.


"SpamAssassin workaround": SpamAssassin (available at http://spamassassin.org/) often is configured that it adds some lines to the message body containing information about the spam criteria which were found matching for the message. This option enables an extra test to avoid false positives for Microsoft style TOFU on such messages.


"TOFU deletion": Hides "traditional style" TOFU, where each line begins with the indent string ">".


"whitespace deletion": Hides trailing whitespace (sequences of space and tab). CAVEAT: This may lead to interesting effects with crossposts between mailing lists or with undetected signature attempts.

Detection Options


"user defined bounce message for picky delivery":  You may specify your own bounce message to be returned when we try to deliver an email and bounce it because there is TOFU inside. See -p.


"picky delivery": If we really find some TOFU, abort with exit code EX_UNAVAILABLE. Otherwise redirect the message to ADDRESS if given.

Intended for use from within mail delivery agents (MDAs) or mail transport  agents (MTAs), or even from within INN, so the message bounces if TOFU is detected, and does not get on *your* nerves. :)

As an example for usage with sendmail, put this line into your alias file and invoke newaliases:

notofu: |"/usr/local/bin/t-prot -mt -p=user@mydomain"

This will bounce messages for <notofu@domainname> if any TOFU is detected inside the message, and deliver it to <user@mydomain> otherwise. Note that TOFU is only detected if you specify -t respectively -m.

PLEASE be careful not to bounce messages to mailing lists!


Run checks. If successful, print an error message and quit with an appropriate exit code. Useful e.g. for rejecting messages from within INN2.

Flags are separated by commas (no whitespaces), and can be the following (right now just one flag):

If the quoting ratio is n or more, the message is rejected. Must be between 0 and 1, or else it is entirely disabled. Default is 0.75 (i.e., 75% of the message lines are quotes).

-d,  --debug

Print envelope info to syslog when bouncing TOFU contaminated email. Default syslog facility is mail.debug. Requires -p.

Other Options

-h,  --help

Displays a short help text with a summary on all options, and exits.

-v,  --version

Prints the current version number and exits.


The environment variables LC_ALL, LC_MESSAGES, and LANG are read and respected when interpreting output by mutt / mutt-kz or gnupg (unless they are overruled by the --locale option). T-prot's own output is English regardless of any locale setting.

Exit Status

On program exit, t-prot uses exit codes from /usr/include/sysexits.h and thus behaves in a manner that sendmail and others understand when calling t-prot.

Currently, the codes used are







If, however, perl fails to compile and execute t-prot, perl's normal exit codes will be returned.


TOFU is an abbreviation which mixes German and English words; it expands to "text oben, full-quote unten" which means "text above - full quote below" and describes the style of so many users who let their mailer or newsreader quote everything of the previous message and just add some text at the top; obviously they think that quoted text must not be changed at all. This is quite annoying as it needlessly sends a lot of data even when it is not required. Some editing of messages is desired. Please point these people to the page http://www.river.com/users/share/etiquette/edit.html - thank you!


There are several ways to fine-tune t-prot's performance:

Some command line options are quite grave a performance hit -- do not use -k and especially --ms-smart if you are content without them.

Checking for special footers is very costly as well. Put as few footer files as absolutely needed in any footer directory.

All PGP related options are eating up lots of CPU time. Try to avoid them on unsigned and unencrypted messages.

When calling t-prot from within mutt (or mutt-kz), you might use mutt's folder-hook and message-hook facilities to turn options on only when needed, e.g. to set up a different footer directory for each mailing list folder.



I want to make my mailing list footer files match more different mailing list footers. Can I use regular expressions, or how can I accomplish that?


Nope, regexp's do not work here. The comparison is made by the perl builtin index() function (see perldoc for more detailed info), so you must exactly match the beginning of the line. The longer the line you specify, the more precise the match; if your line is empty you match unconditionally.


I use the options -l and -L to suppress mailing list footers when displaying messages in mutt(1). This does work sometimes, but sometimes it does not: the footer is not detected, and therefore full quotes are not deleted and signatures are detected as too long (which they aren't).


This might occur if the message is badly encoded, so mutt cannot resolve all encoded characters, e.g. if you have an encoded message on a mailing list, and majordomo appends a mailing list footer in a different encoding (or even plain us-ascii). "-- " simply does not match "--=20".
Another problem are non-us-ascii characters. Just avoid them, and  everything should work fine.
See the preceding Q+A for a solution.


I want to write a message which contains parts that should *not* be  deleted even when filtered with t-prot. Is this possible?


Yes, but please do not spread word of it. Make unobstrusive use of the verbatim instruction:

This line is protected from being filtered by t-prot !!!!!!!
Text coming now is not.


Written by Jochen Striepe <t-prot@tolot.escape.de>.

Ideas and Inspiration

Many good ideas, bug reports and support from (in alphabetical order) Bjoern Buerger, Bjoern Laessig, Christian Borss, Gerfried Fuchs, Martin Neitzel, Martin Dietze, Matthias Kilian, Ralf Doeblitz, Sven Guckes and many more (see the ChangeLog for active contributors). Many thanks to all of them!

Many thanks to Gerhard H. Wrodnigg who uses a TOFU protection script in order to keep the responses to his cancel bot reasonably short.  The entire inspiration for this hack came from the "TOFU protection" line of his script on many usenet postings.


You can get the latest version from http://www.escape.de/users/tolot/mutt/.


There is a problem when mutt gives a PGP verified or even a multipart message to t-prot: The information where the PGP encrypted/signed data or even attachments begin and end is plainly embedded in the text, not really cleanly recognizable for t-prot. The problem should be worked around by now, please send a bug report if it does not work for you.

Reporting Bugs

Please note that t-prot development happens on current stable perl versions only. If you do run t-prot on earlier (or unstable) perl versions, you might encounter perl compiler bugs (or funny t-prot behaviour). One solution is to upgrade your perl, another is simply to write a bug report. If you do not run a current perl version, please include this information in your bug report.

Please do not report a bug if
* you found it in the Todo file coming with the distribution. We do know those and try to fix them as soon as possible.
* you have an old t-prot version. If you encounter a problem, first see if there is a new t-prot version which fixes the issue. If you upgraded to the latest version and it still occurs, a bug report is just great.

If you noticed a bug when processing a message and want to provide the t-prot team with some useful info, please:
* if invoking t-prot by mutt's display_filter facility, just set display_filter to something like

"tee ~/foobar | t-prot <your options>"

and include ~/foobar in the bug report -- this way we might reproduce the bug much easier if you are using a different environment than we do.
* provide information on what command line options you use t-prot with, what perl version t-prot runs on your system, and what else might be important to enable us reproducing the bug.

Send your bug report to <t-prot-bugs@tolot.escape.de>. Thank you.


Fix bugs (see the Bugs section). Beside that, all main features should be implemented by now. See the TODO file for more information.

See Also

mutt(1), mutt-kz(1), muttrc(5) and the part about "display_filter", perl(1), aliases(5),

RFCs 2045-2049, 3676 and 5322,

http://freshmeat.net/articles/t-prot/ (a nice, solid introduction),
http://got.to/quote/ (German language),
http://www.river.com/users/share/etiquette/edit.html (the Learn To Edit Messages HowTo has found a new home).


March 2015 T-PROT