[Spambayes] Slightly off-topic: HTML e-mail not worth the risk
Amir_Katz at bmc.com
Sat May 22 09:14:34 EDT 2004
Since this mailing list is dealing with mail abuse and associated issues &
problems, I thought it would be of interest to the readers.
This is from the newsletter Network Newsletter on Identity Management:
Today's focus: HTML e-mail not worth the risk
By M. E. Kabay
Many people are sending HTML e-mail for no obvious reason or
benefit. HTML e-mail can be recognized by colored backgrounds or
typefaces. It sometimes has designs or other decorations in the
messages. Unfortunately, HTML e-mail is a security risk.
HTML messages can easily contain unwanted, mislabeled links, Web
bugs, harmful active content, and outright worms and viruses.
Richard Smith warned of emerging e-mail vulnerabilities in 1999,
when he listed dozens of problems related to HTML e-mail. A
particularly detailed analysis showed how HTML code in e-mail
could allow breaches of privacy using images and cookies:
Invisible single-pixel images (called Web bugs) can enable this
kind of user e-mail tracking without alerting the naïve user
because most people don't examine the HTML code underlying
received e-mail messages.
Other vulnerabilities inherent in HTML e-mail include the
ability to run Visual Basic scripts, ActiveX controls, and
Macromedia flash, all of which can execute unauthorized and
Some organizations and individuals are blocking HTML messages
outright. Blocking incoming HTML e-mail is easy because it
always includes recognizable strings associated with the HTML
underlying the fancy display.
I urge everyone to send plain text instead of HTML as the
default format for outgoing e-mail.
If you need to send a message with features beyond text, you can
always create a word-processing document and send that. However,
you should be aware that when you send a Microsoft Word
document, not only are you putting the recipient at risk from
embedded macros, but the appearance of your document may be
quite different on the recipient's computer if you do not share
the same set of fonts. RTF files typically do not carry macros
(although the font problem still exists).
Some recipients prefer a platform-independent format such as an
Adobe Acrobat PDF file rather than a platform-specific file such
as a Word document; PDF files do not depend on the recipient's
fonts for proper display, and they do not carry Word macros.
So to repeat: set your default format for outbound e-mail from
HTML to TEXT in your e-mail client. Here are some hints on how
to do that:
* If you are using Netscape Messenger as your client, click Edit
| Mail & Newsgroups | Formatting to reach the panel that allows
the configuration. Then at the top of the page, in the section
labeled, "Message formatting" you can select the lower option,
"Use the plain text editor to compose messages." The other
section is labeled, "When sending HTML messages to recipients
who are not listed as being able to receive them." You can
select the second option there, "Convert the message into plain
* If you are using Microsoft Outlook, use the Tools | Options |
Mail Format sequence to reach the panel where you can select
"Compose in this message format: Plain Text" as your format for
* If you are using Outlook Express, use the Tools | Options |
Send sequence and check "Plain Text" in the "Mail Sending
Format" section of the panel.
Other e-mail clients will also have options for you to select
Remember the old Shaker hymn: "'Tis the gift to be simple / 'tis
the gift to be free, / 'tis the gift to come down / where we
ought to be."
Keep it simple; keep it plain.
RELATED EDITORIAL LINKS
Email security hazards
Bugnosis Web Bug FAQ
How HTML email invades your privacy
A quick guide to email security
"'Tis the gift to be simple"
To contact: M. E. Kabay
M. E. Kabay, Ph.D., CISSP, is Associate Professor of Information
Assurance at Norwich University in Northfield, Vt. Mich can be
reached by e-mail <mailto:mkabay at norwich.edu> and his Web site
More information about the Spambayes