[SixClub] Slightly off-topic: HTML e-mail not worth the risk

Tom Peters tpeters at mixcom.com
Mon May 24 11:43:55 EDT 2004 

Fellow hams: I've always thought this list's prohibitions against HTML
mail are well founded.
 de n9qqb
---------------------------- Original Message ----------------------------
Subject: [Spambayes] Slightly off-topic: HTML e-mail not worth the risk
From:    "Katz, Amir" <Amir_Katz at bmc.com>
Date:    Sat, May 22, 2004 8:14 am
To:      "Spambayes mailing list (E-mail)" <spambayes at python.org>
--------------------------------------------------------------------------

Today's focus:  HTML e-mail not worth the risk

By M. E. Kabay

Many people are sending HTML e-mail for no obvious reason or
benefit. HTML e-mail can be recognized by colored backgrounds or
typefaces. It sometimes has designs or other decorations in the
messages. Unfortunately, HTML e-mail is a security risk.

HTML messages can easily contain unwanted, mislabeled links, Web
bugs, harmful active content, and outright worms and viruses.

Richard Smith warned of emerging e-mail vulnerabilities in 1999,
when he listed dozens of problems related to HTML e-mail. A
particularly detailed analysis showed how HTML code in e-mail
could allow breaches of privacy using images and cookies:
<http://www.computerbytesman.com/privacy/cookleak.htm>

Invisible single-pixel images (called Web bugs) can enable this
kind of user e-mail tracking without alerting the naïve user
because most people don't examine the HTML code underlying
received e-mail messages.

Other vulnerabilities inherent in HTML e-mail include the
ability to run Visual Basic scripts, ActiveX controls, and
Macromedia flash, all of which can execute unauthorized and
unsafe code.

Some organizations and individuals are blocking HTML messages
outright. Blocking incoming HTML e-mail is easy because it
always includes recognizable strings associated with the HTML
underlying the fancy display.

I urge everyone to send plain text instead of HTML as the
default format for outgoing e-mail.

If you need to send a message with features beyond text, you can
always create a word-processing document and send that. However,
you should be aware that when you send a Microsoft Word
document, not only are you putting the recipient at risk from
embedded macros, but the appearance of your document may be
quite different on the recipient's computer if you do not share
the same set of fonts. RTF files typically do not carry macros
(although the font problem still exists).

Some recipients prefer a platform-independent format such as an
Adobe Acrobat PDF file rather than a platform-specific file such
as a Word document; PDF files do not depend on the recipient's
fonts for proper display, and they do not carry Word macros.

So to repeat: set your default format for outbound e-mail from
HTML to TEXT in your e-mail client. Here are some hints on how
to do that:

* If you are using Netscape Messenger as your client, click Edit
  | Mail & Newsgroups | Formatting to reach the panel that allows    the
configuration. Then at the top of the page, in the section
  labeled, "Message formatting" you can select the lower option,
  "Use the plain text editor to compose messages." The other
  section is labeled, "When sending HTML messages to recipients
  who are not listed as being able to receive them." You can
  select the second option there, "Convert the message into plain    text."

* If you are using Microsoft Outlook, use the Tools | Options |
  Mail Format sequence to reach the panel where you can select
  "Compose in this message format: Plain Text" as your format for 
  outgoing mail.

* If you are using Outlook Express, use the Tools | Options |
  Send sequence and check "Plain Text" in the "Mail Sending
  Format" section of the panel.

Other e-mail clients will also have options for you to select
plain text.

Remember the old Shaker hymn: "'Tis the gift to be simple / 'tis
the gift to be free, / 'tis the gift to come down / where we
ought to be."

Keep it simple; keep it plain.

RELATED EDITORIAL LINKS

Email security hazards
Richard Smith
http://www.computerbytesman.com/security/email/

Bugnosis Web Bug FAQ
http://www.bugnosis.org/faq.html

How HTML email invades your privacy
http://email.about.com/library/weekly/aa121100a.htm

A quick guide to email security
http://www.zzee.com/email-security/#zzee_link_5_1023208034

"'Tis the gift to be simple"
http://www.oremus.org/hymnal/t/t717.html
_______________________________________________________________
To contact: M. E. Kabay

M. E. Kabay, Ph.D., CISSP, is Associate Professor of Information
Assurance at Norwich University in Northfield, Vt. Mich can be
reached by e-mail <mailto:mkabay at norwich.edu> and his Web site
<http://www2.norwich.edu/mkabay/index.htm>.

_______________________________________________

_______________________________________________
Spambayes at python.org
http://mail.python.org/mailman/listinfo/spambayes
Check the FAQ before asking: http://spambayes.sf.net/faq.html

More information about the SixClub mailing list