[Spambayes] Slightly off-topic: HTML e-mail not worth the risk

Katz, Amir Amir_Katz at bmc.com
Sat May 22 09:14:34 EDT 2004

Since this mailing list is dealing with mail abuse and associated issues &
problems, I thought it would be of interest to the readers.

This is from the newsletter Network Newsletter on Identity Management: 


Today's focus:  HTML e-mail not worth the risk

By M. E. Kabay

Many people are sending HTML e-mail for no obvious reason or 
benefit. HTML e-mail can be recognized by colored backgrounds or 
typefaces. It sometimes has designs or other decorations in the 
messages. Unfortunately, HTML e-mail is a security risk.

HTML messages can easily contain unwanted, mislabeled links, Web 
bugs, harmful active content, and outright worms and viruses.

Richard Smith warned of emerging e-mail vulnerabilities in 1999, 
when he listed dozens of problems related to HTML e-mail. A 
particularly detailed analysis showed how HTML code in e-mail 
could allow breaches of privacy using images and cookies: 

Invisible single-pixel images (called Web bugs) can enable this 
kind of user e-mail tracking without alerting the naïve user 
because most people don't examine the HTML code underlying 
received e-mail messages.

Other vulnerabilities inherent in HTML e-mail include the 
ability to run Visual Basic scripts, ActiveX controls, and 
Macromedia flash, all of which can execute unauthorized and 
unsafe code.

Some organizations and individuals are blocking HTML messages 
outright. Blocking incoming HTML e-mail is easy because it 
always includes recognizable strings associated with the HTML 
underlying the fancy display.

I urge everyone to send plain text instead of HTML as the 
default format for outgoing e-mail.

If you need to send a message with features beyond text, you can 
always create a word-processing document and send that. However, 
you should be aware that when you send a Microsoft Word 
document, not only are you putting the recipient at risk from 
embedded macros, but the appearance of your document may be 
quite different on the recipient's computer if you do not share 
the same set of fonts. RTF files typically do not carry macros 
(although the font problem still exists).

Some recipients prefer a platform-independent format such as an 
Adobe Acrobat PDF file rather than a platform-specific file such 
as a Word document; PDF files do not depend on the recipient's 
fonts for proper display, and they do not carry Word macros.

So to repeat: set your default format for outbound e-mail from 
HTML to TEXT in your e-mail client. Here are some hints on how 
to do that:

* If you are using Netscape Messenger as your client, click Edit 
  | Mail & Newsgroups | Formatting to reach the panel that allows 
  the configuration. Then at the top of the page, in the section 
  labeled, "Message formatting" you can select the lower option, 
  "Use the plain text editor to compose messages." The other 
  section is labeled, "When sending HTML messages to recipients 
  who are not listed as being able to receive them." You can 
  select the second option there, "Convert the message into plain 

* If you are using Microsoft Outlook, use the Tools | Options | 
  Mail Format sequence to reach the panel where you can select 
  "Compose in this message format: Plain Text" as your format for 
  outgoing mail.

* If you are using Outlook Express, use the Tools | Options | 
  Send sequence and check "Plain Text" in the "Mail Sending 
  Format" section of the panel.

Other e-mail clients will also have options for you to select 
plain text.

Remember the old Shaker hymn: "'Tis the gift to be simple / 'tis 
the gift to be free, / 'tis the gift to come down / where we 
ought to be."

Keep it simple; keep it plain.


Email security hazards
Richard Smith

Bugnosis Web Bug FAQ

How HTML email invades your privacy

A quick guide to email security

"'Tis the gift to be simple"
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor of Information 
Assurance at Norwich University in Northfield, Vt. Mich can be 
reached by e-mail <mailto:mkabay at norwich.edu> and his Web site 


More information about the Spambayes mailing list