Software optimize

A practical example of why HTML e-mail is a bad idea

Viewing emails without rendering HTML formatted content can be a simple, easy, and effective security technique.

I received a phishing email the other day, and it reminded me why I use mutt as my mail user agent. The headers and text of the email look like this:

Delivered-To: unknown Envelope-to: me@example.com Delivery-date: Wed, 11 Feb 2009 09:45:07 -0700 Reply-To: From: "service@paypal.com" Subject: Account Expired ! Please renew your account ! Date: Wed, 11 Feb 2009 11:48:20 -0500 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: X-OriginalArrivalTime: 11 Feb 2009 16:45:05.0698 (UTC) FILETIME=[17964020:01C98C68] X-user: ::::0.0.0.0:host.example.net:::::: <html> <head> <meta http-equiv="Content-Language" content="en-us"> </meta><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title></title> </meta></head> <body> <font face="Arial, Helvetica, sans-serif" size="2">Dear Member,<br /> <br /> Your PayPal account has expired. <br /> You must renew it immediately or your account will be closed. <br /> If you intend to use this service in the future, you must take action at once!<br /> <br />

To continue <a href="http://example.org/files/liaz/index.php">click here</a>, login to your PayPal account and follow the steps.<br /> <br />

Thank you for using PayPal!<br /> The PayPal Team<br /> <br /> </font><font face="Arial, Helvetica, sans-serif" size="2">Please do not reply to this email. This mailbox is not monitored and you will not receive a respons. For assistence, log in to your PayPal<br /> account and click the Help link located in the top right corner of any PayPal page.</font><font face="Arial, Helvetica, sans-serif" size="2"><br /> <br /> PayPal Email ID PP3573</font> </body> </html>

Obviously, I have changed all the domain names and IP addresses (other than PayPal's domain name) to protect my privacy and to protect any of you from accidentally visiting a phishing site. I don't want my readers getting infected because of my articles, after all.

The highlighted snippet contains a link. If you look at it closely, you'll notice that's not a PayPal URL in the link -- something you wouldn't necessarily notice if you viewed the email with HTML rendered, which would just look like this:

spam email: rendered

This isn't exactly the cleverest phishing attempt in the world. It contains spelling errors, and targets something that most security-aware people will immediately recognize as a common subject of phishing e-mails. A more well thought out attempt might fool someone who doesn't habitually look at the plain text of e-mails, however.

In general, legitimate emails with HTML formatting come with a plain text version as well these days. When signing up for mailing lists and other mass-notifications, it is almost always possible to choose whether you get emails in plain text or HTML form. The exceptions are almost always phishing emails. Some people may get more HTML formatted emails than others, of course, but for most of us there really isn't any need to render HTML for all emails. In my case, in fact, HTML formatting is a very accurate predictor that an email I receive is unwanted, and I use HTML formatting as part of my spam filtering criteria.

In my list of basic email security tips from almost a year ago, I mentioned that one should avoid letting HTML render in your email client. Take this as an object lesson in the kind of threat HTML e-mails can present.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

63 comments
jkiernan
jkiernan

This advice, while useful to absolute newbies, is very dated. End-runs around the "a ref" are as old as Goatse and Tubgirl. The real issue here is how awful Microsoft's email clients are and how many people still use them. This is a relatively unsophisticated method of attack that requires user ignorance or stupidity to succeed. More threatening by far are the buffer overruns and security flaws that require no user interaction to insinuate crapola on a system.

Rick_from_BC
Rick_from_BC

For those e-mails I am not expecting, or suspect ar 'phishy,' I save the e-mail as text (always use the title "junk") and open the text file in a simple editor. I get about 3-8 of these a week (good ISP filtering, whitelist for regulars, etc.) so the burden is not high for this procedure. I also kinda get a kick out of reading the crap to see what they want from me (they always want money, but sometimes they want info too). I don't think I've been to a website link included in an e-mail -- unless it comes from a well-known source and I can see from the rest of that e-mail that it is strongly likely to have been originally sent by that person.

Oz_Media
Oz_Media

Good article Chad, nice to see your still at it. I need to send HTML mail in many cases but prefer not to read them most of the time. First of all, with my personal mail account I get perhaps 3 or 5 emails per day, there are VERY few people that have the address and I don't use it as my default, I actually use my work address as a default mail app, because I don't care what people send to that address (nice, huh? but it isn't MINE ]:) ). We just have a small office, no mail server, hosted by ISP etc., I just don't care what comes through there. But I do send HTML mail as I am a BDM and need to use all marketing angles I can. I have an opt in distribution list where I send nicely formatted and colourful emails, I even send embedded FLASH!! (I know, bad boy!) and my customers are anything but techs so they all seem to go through, except to guys using blackberries on jobsites, however I always send text mail too, just as a backup. All graphics use a properly formatted ALT tag so as not to be too confusing in text form though. With the bands in the UK and other parts of Europe, I also send promotional emails, HTML formatted of course. In the industry you really need all that crap turned on or else you miss out on so much that really is important. Its an industry that enables and sucks up FLASH, ActiveX and all other nasty scripts, seriously just about anything goes through. Myself I accept both, but I don't open what I do not expect. NOTHING lures me into opening something I shouldn't. I just can't be bothered to read it, its not so much of a security issue but just that I am not interested in it. I get a lot of unsolicited email on the OzMedia and studio accounts, it gets deleted and not even previewed. Just like half the music I'm sent, I used to listen to all of it but don't have time or interest now. If it isn't expected, it is lost or deleted. I have had a couple of people say 'did you get that email?" Where I simply respond, unless it was from YOUR address, nope. I hate getting that crap, the same old chain letters (that people think are new or witty 10 years later). Stupid Power Points with goofy graphics and somber music while showing American flags, Images of God and heaven, fake sunsets, soldiers, and all the rest of it. No time, not wanted, deleted. In the case of the mail example you showed, PayPal, I wouldn't have even opened it, no way I would have visited the link. I'm the same way with the phone, I have a good gatekeeper and use my VMail when she's not there to help screen the loonies and time wasters, seriously she is phenomenal and clearing calls for me, absolutely invaluable! (in fact I think it's time to buy her something nice in appreciation for her hard work). So in essence I don't practice what I preach, I send it but rarely read it, though I do have HTML turned on, I don't use preview so I just delete what I don't really want and then start reading all the others.

Mad-H
Mad-H

I hate html mails, with a passion, and I can't see how any benefits outweigh the drawbacks and dangers. Sure, some sites offer the option of text or html and this is a good thing, but many basic users may not understand this. There is also the issue that you don't always know the capabilities of the recipient's mail software (which is why _not_ offering a text version for sign-up mails is inexcusable) - someone I know accesses their mail through a web client, but that (for some reason) doesn't render the html, so any html mails that are sent to him appear in their raw form, and as he isn't (by any means) technical, this means that they are pretty much unreadable. As someone else mentions, there are also the danger of embedded images/objects like - this doesn't require the use to click on anything, and some mail programs (I won't name them, but you know which one I am talking about) will even download these if the mail is automatically previewed on receipt. Some people (esp marketing depts) say "I need HTML to make the mails look good" - but if you _require_ this then a) if you haven't got the layout skills to lay out a good text mail then you should be in another job know this goes back to web links, but if it is a text mail then the user has more visibility on where they are going (I get an MSDN mail that is, in plain text form, a complete mess) b) (as I mentioned before) you don't know the capabilities of the recipient, so they may see the rendered HTML in an odd form, dependant on their software, or may not be able to read it at all. For me, e-mail is about firing text around, and yes, you can attach documents, or put in web links, but the mail content should be text/plain.

mdhealy
mdhealy

My default setting is always to view as text, for precisely this reason: it's much easier for me to spot phishing attempts. But the Tech Republic Newsletter is HTML-formatted, which I find annoying.

john.carter
john.carter

...and the URL is displayed in the status bar at the bottom of the (IE) browser window. The phonies easily stand out...

Rob C
Rob C

I recall that in my earlier days (probably Outlook Express), I could easily choose to read an individual email as plain text. Which surely would be handy for some emails ? I currently use Thunderbird, and I am not easily finding such a choice (aka, I haven't found out how to do it yet). Does anyone know how to do that with Thunderbird ?

JackOfAllTech
JackOfAllTech

I've used Foxmail for a long time because it is, AFAIK, the only Windows email client that allows you to force viewing in text mode by default. I've mentioned this before - I've been using PCs since the the early '80s, did some hacking in my time, visited some dark BBSs, but not once been infected because I take precautions. That old adage about an ounce of prevention really is true.

techr.thormj
techr.thormj

Hrmph. In outlook, the hover-over-the-link will show you where you are going, and you should always double-check the address bar when the page comes up (but you may have been infected by that time). HTML (or even RTF) is handy to compose more easily if you are doing more than "posting a note"; my communications tend to include tables, graphics [equations], lists, etc; you could: 1. Use a really good text editor that changes lots of things when you add to the numerical list and alignes columns with spaces [ick] 2. Attach the real message as a Word / Excel document, but then you *must* open the attachement in order to "get the message." 3. Use HTML and have the renderer keep track of numbers and the like. Biggest thing I don't like about HTML emails is that my BlackBerry does them poorly (at least for the graphics) ...

Husam
Husam

valuable advice, it is great to know this. Than ks from the bottom of my heart.

apotheon
apotheon

How do you deal with the dangers of HTML email? Do you have any legitimate needs that actually require HTML formatted emails? Do you send HTML email even when it isn't necessary?

seanferd
seanferd

Most users click on everything, and some things need only be displayed in order to exploit a vulnerability. It may be old, but too few get it. No argument from me about MS email clients though.

ian3880
ian3880

"When needed, yes. Good article Chad, nice to see your still at it." YOUR instead of YOU'RE ??? Like I said ... get grammar and spelling correct THEN graduate to HTML ... :-)

NWwoman
NWwoman

the truth is that people respond differently to "all black" text and text with color photos, white space for visual relief, captions, headlines and color. People do not pick up a text-heavy book that uses small point sizes for fonts and language with a fog index of more than 9th grade, plus no graphics, and enjoy it after dinner. Instead, it's perceived as something to study and therefore needing undisturbed time to read, when higher levels of concentration can be tapped. The purpose, and sole purpose, of copy packaged in the correct design is to lure readers into reading, at this moment, preferably. When text is set aside for reading later, it's oftentimes never read. So, the issue imho is actually: When will tech folks develop an html email format, script, call it what you may, that will enable recipients to be secure and mailers to cause the behavior they need: reading and then, action. Perhaps it's impossible. If that's the case, then we need to rethink using direct email as a marketing tool and as an ezine publishing method. --- Just my nickel...after spending some 37 years as a PR/Marcom professional and being one of the first to "live" in the online space, way back in the days when there were no windows GUIs and we typed commands on a black screen to connect to the internet. It was the wild west then.

chris
chris

I accept that you hate them. but you are interested in the information. you'd probably even accept a text only browser to get info you wanted. But, I'd be the average person likes things bolded, colored, etc. It's pretty/cute/etc. If someone could have "the perfect solution" that allows people (normal, average people, not you (and everyone else here)) they could make some serious money I would think.

apotheon
apotheon

But the Tech Republic Newsletter is HTML-formatted, which I find annoying. If you click the "My Workspace" link toward the top-right of the page, then click the "My newsletter subscriptions" link below the myWorkspace logo, just above the "Edit profile" link, you'll get a "Manage my newsletters" page. Scroll down to the bottom, and you should see a "Your e-mail delivery format" section. Select the radio button for "Text", and click the "Update my account" button to set plain text as your default newsletter email format. Unfortunately, this doesn't work for discussion subscriptions. For that, from the bottom of the "Manage my newsletters" page, you have to click the "RSS Alert Management Center" link. On that page, you have to change each discussion subscription's format individually, and it only allows you to save changes to one of them at a time. A couple of years ago, when this became the new way to handle discussion subscriptions, I complained at some length about the atrocious lack of usability of that design, and was told they were going to fix things -- but they never did. It's still the same broken mess it was then. I decided, after a while, to just use the "My Updates" page in the Workspace, and make sure I had selected the "Discussions" link just to the right of the list of updates so I actually got discussion updates in the list, but then for a little while recently that page was never getting updated. Apparently someone broke something there, and I had to start using email alerts again. This meant a long, arduous, pain in the butt task of changing all my subscriptions' individual settings one at a time. They now seem to have gotten the updates page working again, so I may go back to using that. It'd be nice if I could pretend that keeping up with discussions was easy and slick, as it once was in fact, but it's not.

mdhealy
mdhealy

There are HTML coding tricks that will make mouse-overs look like the link will take you to the correct URL. The only truly safe way is to view the source, read the URL, and TYPE IT WITH MY OWN FINGERS into a new browser window. Unless the URL from an email message has been typed by my own fingers it is not safe.

rykerabel
rykerabel

Outlook can force text only also. Tools > Options > Preferences > E-Mail Options > Read all standard mail in plain text (also has sub to Read all digitally signed mail in plain text)

Tony Hopkinson
Tony Hopkinson

the hover over with a bit of javascript. You can put more javascript in there, hoorah, goody etc. You can use graphics as trackbacks, that was part of the HP sying scandal. You can embed links that look OK but are not. Biggest thing I don't like about HTML emails is people don't think of them as browsing. Whatever browser discipline they have (usually none) is completely turned of because they are in email mode. If you are in Outlook, that's a really really bad idea. Just another virus and scam vector, so any one with a brain will strip them, or just bounce it back as a default. Seems to be a serious communication lack, doesn't it?

ian3880
ian3880

"How do you deal with the dangers of HTML email?" Have my browser set to TEXT ONLY mode. Opera's email client always shows the full URLs in the body of the message, as (I guess) other email readers do. "Do you have any legitimate needs that actually require HTML formatted emails?" NO "Do you send HTML email even when it isn't necessary?" I NEVER use HTML - I have my email client set to PLAIN TEXT ONLY mode. HTML eye-candy does not make the content of a badly spelled (or spelt) and/or grammatically incoherent email any better. Get the basics right first. I recently had someone send me an HTML email which, (when compared to the same email with all the HTML formatting crap pruned out of it), was about 4 times bigger. The plain text version was just as easy to read, and not one snippet of information was lost. I am on a reasonably small mobile data plan in Oz and I do NOT take kindly to people sending me both the HTML AND (as pointed out in the original article) the plain text version as well. My browser is set to plain text only so any fancy "eye candy" is simply wasted on me BUT I still have to pay to download all the HTML crap. Grrrrrrrrrr! I have valid reasons for NOT wanting emails in HTML format and if people can't accept my wishes, then to me that's just plain arrogance or stupidity. People who send me HTML emails get one chance to reform their stupid habits. After that I don't bother to reply. It's my choice to do this, just as it's theirs to continue using unnecessary HTML in emails. Re comments about needing to use HTML to send tables, etc, etc. Hello? How ridiculous is that? Everyone's browser will display that HTML page differently depending on browser type and individual settings. Re attaching stuff in propriety formats like Micro$oft .doc or .xls. How dare you assume I have the ability to display those formats. (I actually do, but via Open Office.) Get real and use a format that DOESN'T rely on me having the same font as you have used, or even the same program. While it can be argued that Adobe's Acrobat .PDF format is "propriety", at least it is universally regarded as a de-facto standard. All but the smallest minority of computer users have the ability to display .PDF files. Oh ... to Micro$oft centric people who can't create .PDF files directly from their Office suite of programs, (you poor things :-) ) then consider getting Open Office (which can) or any one of the numerous .PDF creator programs. SO ... to sum up. Use plain text in emails, and if for any reason you need to send something "pretty" then attach it as a .PDF file. P L E A S E?

paulc
paulc

After reading the following statement I searched for some difinition on how to use HTML formatting. "In my case, in fact, HTML formatting is a very accurate predictor that an email I receive is unwanted, and I use HTML formatting as part of my spam filtering criteria." The article would have been more useful to me if there had been examples of how the set up HTML formatting.

pgit
pgit

First, from your article: "I don?t want my readers getting infected because of my articles, after all." I use Linux, as do many of my clients. I used to be in the habit of going out of my way to open such links, view viral content in mail, etc. Just don't have the time anymore. Still, I don't allow html in by default. I only allow it from specific contacts in my address book. So... "How do you deal with the dangers of HTML email?" I use thunderbird, but any of the mail clients I help folks with can do the same: all mail is plain text unless manually/specifically allowed. "Do you have any legitimate needs that actually require HTML formatted emails?" Absolutely. For those html is allowed, but images are not loaded by default. This sometimes precludes reading the mail, other times not. So I'll manually load 'off site' images when needed. There are also a few folks in the mix who send in html (to me, via a list) that I do not need to view in that fashion. I don't allow html unless absolutely necessary. "Do you send HTML email even when it isn't necessary?" um... yeah. I suppose I have. But thunderbird allows you to set a per-contact preference of sending in html or text. By default I set text, unless I know the recipient needs the html. I then send in both, and let the mail client send whichever form to whichever recipient. ...usually. I'm sure there's people who are not in my contacts that I've sent html mail to... maybe I should be more careful. Good food for though, as usual there, Chad. How's that cloning project coming along?

Jaqui
Jaqui

me? never. always plain text only. there is not ONE good reason for html email, and such a format is junked and never read.

Slayer_
Slayer_

Absolutly, I love the eye candy, my signature is even coloured and everything (Company template, not my choice lol). When I get a text email, I usually switch it to HTML before reading it just because the HTML font is much easier to read. However I am not dumb enough to click one of those links, and I have it hammered into my folks heads to never click links in emails. Rookie users are fightning, I make sure all machines my folks use have file extensions on, so when they get emails, I've told them never open anything that is .exe and only to open .jpeg, .gif, .bmp, .mpeg, .avi files. And yes they do remember this, or they ask me. They actually went 5 years online with an insecure system (because virus scanner nag screens fighten them, the endless calls of what does this message mean, made it worth while to remove virus scanners) without getting a single virus or spyware. The system is still alive and healthy in our office room now, thankfuly its more secure on my house network then it was at our shop. For anyone that was scared of this, the unsecured computer accessed its company information from a server like machine that had very high security, I actually had two virus scanners working together to keep that thing safe (they did function fine together), along with malware scanners, frequent backups.

apotheon
apotheon

It's old news, to be sure -- but one need only peruse the discussion here to see that far too many people still don't know, don't care, or don't want to believe the evidence right before their eyes. Keep in mind, too, that there are probably fewer people that don't know/care/believe, as a percentage of the total, who are willing to comment on the article than not. In short, the message still needs to be shared, because for far too few people has it sunk in. edit: Also, on the subject of bad email clients . . . We need to figure out how to get people to give up the bad, bloated, crappy clients. They'll never do so as long as they think they need all the bells-and-whistles bloat, though. If we can educate them on what they do need, and what they should be doing, such that they begin to see the bells and whistles they've cherished so much (like the ability to play Flash videos and display background images in the email) as the threats they are rather than "features", we'll have taken dramatic steps in the right direction.

apotheon
apotheon

So, the issue imho is actually: When will tech folks develop an html email format, script, call it what you may, that will enable recipients to be secure and mailers to cause the behavior they need: reading and then, action. Perhaps it's impossible. If that's the case, then we need to rethink using direct email as a marketing too I guess maybe that's the problem -- in the article, the subject was email for communication, and not for marketing. When I get marketing emails, I delete them. When I get emails for communication, I read them. Whether something is fraught with spaghetti markup or not is usually a pretty good indicator of which an email is. The biggest problem that arises, and what I hope the article helps a few people figure out how to solve in their own lives, is that people see marketing emails as a good model for email designed for communication. Even when viewed in a fully rendered presentation, markup-heavy emails tend to obscure the core content rather than illuminating it. Stop sending heavily marked up email when you don't need it, and you won't have this problem with people (like me) throwing away your emails. If you're sending out marketing emails (usually spam), I guess you should keep using heavily marked up email, but that's not really the target audience here anyway.

apotheon
apotheon

But, I'd be the average person likes things bolded, colored, etc. It's pretty/cute/etc. There are ways to get that without rendering HTML -- but nobody cares. Everybody wants images embedded even when they're hosted on remote servers, links with the actual target URLs obscured, and other pieces of dangerous nonsense that don't actually add anything of real use to the message.

Rob C
Rob C

Thanks, that's what I was looking for. Regards, Rob

chris
chris

the entire internet. I don't see how html email is any worse. maybe I am better edumacated than the average mom or pop, but that can be handled over time.

seanferd
seanferd

They can be much more, esp. with embedded ridiculousness. I feel for you folks with data plans having to deal with HTML, scripting, and embedded objects with respect to email and web sites.

chris
chris

I have customers send me email that says something like. be sure to format this web page content like I have it below (with bolds, underlines, etc). I "could" tell them to create a what, word document or pdf or something or manually tell me what formatting? Nope, my customer wants to send HTML email, I receive it.

apotheon
apotheon

How's that cloning project coming along? Very, very slowly. Who knew cell division was such a drag?

chris
chris

I always communicate with my customers how THEY want to be communicated. If they send HTML they get HTML, if they call, I call.

parnote
parnote

You had better be telling your people to NOT click on or open anything that ends with BAT, COM, WS, VBS ... because every Windows system is also at risk from these files too. Of course, you could avoid the problem all together (instead of relying on people to do the right thing when they are told) and just run Linux, where your risks are infinitely less.

chris
chris

just don't be stupid. come on people. now, if there is an HTML danger along the lines of some hack when the email is rendered or previewed or something, let me know.

apotheon
apotheon

While you are at it why not persuade them that downloading movies and music from the internet is a bad idea But that's not a bad idea. that talking to people that you have never met through IM clients is a bad idea Define "met". that clicking on ads that say 'free' is a bad idea Whether it's a bad idea is more dependent on context than on whether the ads say "free". let's persuade them to do away with their Internet Explorers, Firefox's and Chrome browsers and install Mosaic - now there's a secure Internet browser. That's not the same thing, and you should know it. Well, we should convince people to give up IE, at least, but that's a different matter. You stand more realistic chance of stopping the threats by persuading the manufacturers to make their 'bloated' email clients more secure. So . . . I take it what you're saying is that writing an article about the dangers of HTML email is a completely worthless endeavor, even if it happens to effectively educate half a dozen people, because it doesn't work on everyone. Is that it? I disagree.

SObaldrick
SObaldrick

"We need to figure out how to get people to give up the bad, bloated, crappy clients. They'll never do so as long as they think they need all the bells-and-whistles bloat, though. If we can educate them on what they do need, and what they should be doing, such that they begin to see the bells and whistles they've cherished so much (like the ability to play Flash videos and display background images in the email) as the threats they are rather than "features", we'll have taken dramatic steps in the right direction." You want to educate email users to 'give up' the belle and whistle features in their email client .. good luck. While you are at it why not persuade them that downloading movies and music from the internet is a bad idea .. that talking to people that you have never met through IM clients is a bad idea .. that clicking on ads that say 'free' is a bad idea .. and while we are at it, let's persuade them to do away with their Internet Explorers, Firefox's and Chrome browsers and install Mosaic - now there's a secure Internet browser. You stand more realistic chance of stopping the threats by persuading the manufacturers to make their 'bloated' email clients more secure. Les.

Slayer_
Slayer_

Outlook does its default block images from downloading, leaving you with a blank email. A sure sign that the email required deletion. Why won't these people learn??? Let's send entire web pages and pictures as emails. yeah, that sounds like a good idea. Sure hope every single decent email client out in the world won't block our web content from downloading..... Frankly whoever crafts such emails should lose their jobs immediatly....

santeewelding
santeewelding

Thank you, Chip. I am aware of that. Markup is also allowed with email, given base plain text.

santeewelding
santeewelding

Do those three instances of boldface -- "time..both...natural" -- amount to a departure from base plain text?

apotheon
apotheon

It's kind of a "traditional" distinction -- because I already had several years of using email for important stuff before I started using syndication feeds, so RSS and Atom aggregators ended up naturally taking the back seat. I don't have time to make them both take a high attention priority, to say nothing of the fact that I don't get personal and professional communications via RSS very often. No . . . the more I think about it, the more natural that distinction is, in my life at least.

Sterling chip Camden
Sterling chip Camden

I can ignore email just as easily as I can ignore feeds. That's a matter of how you prioritize and how you view your email or feed client.

apotheon
apotheon

Unfortunately, RSS feeds are things I can ignore for a while and never get caught up again, and I don't much care. Email is something I have to get through, all the time -- so if I actually want to see everything in my TR subscriptions, I'm better off using email than an RSS aggregator.

Tony Hopkinson
Tony Hopkinson

HTML email is a security threat and one that can easily be dealt with. The existence of other threats doesn't make it less threatening. The real point is, you are asking 'me' to risk communicating with 'you'. My decision on whether to, is based on the fact that you chose to put me at risk, through your choice of how to communicate. Your assessment of the level of risk/reward is wholly biased in your favour, and therefore valueless. So by sending a HTML email, you've communicated that you are quite happy to put me at risk in return for your reward. On that basis , what should an edumacated person do?

apotheon
apotheon

Because there's a bridge of sorts forged between your email-based identity and the functionality of the Web in HTML formatted emails, you open yourself up to a greater range of threats when dealing with HTML email on its own terms (i.e., letting a "rich content" email do whatever the hell it wants to do). For instance, loading an image in a browser doesn't give anyone confirmation that a particular email address is actually used and thus a good target for spam and phishing emails (to draw on an example mentioned both by Tony Hopkinson just above your comment and my own statements about the dangers of HTML emails rather further up the chain).

ian3880
ian3880

.... it was just text only. No graphics, no fancy coloured or highlighted fonts. Just plain black text. Sent as HTML. So why the F*** did the idiot send it in HTML? Probably doesn't know any better. :-( Sigh!

remymaza
remymaza

Seriously, gmail blocks .exe, .hta's and many other malicious extensions by default. It'll even block the email if those files are zipped. You really can't be serious about being able to send an email with those files attached as is... Seriously... C'mon

Slayer_
Slayer_

They will download but won't let you run them without a registry hack.

chris
chris

solution out there, that might be used just for things coming from and email client?

Sterling chip Camden
Sterling chip Camden

anymore. I use a contact form on my site. I'll share my email address with my client once we make contact.

SObaldrick
SObaldrick

I do a lot of contract work, so I want my email address to be very public. You could argue that I might want to have a second email address that I use for my private emails, but that means having to maintain 2 emails accounts and their profiles and also having to be careful about which account I use for what, and you know that the only way spammers are not going to find your email address is if you don't use it (and even then there is no guarantee), so eventually you are going to have to change your private email address, and then you'll have to go to the trouble of telling everyone that it has changed .. I'd rather put up with the spam. Gmail is pretty good at filtering it out. I get maybe 4 or 5 spam emails a day in my inbox. It takes all of 20 seconds to delete them. Not a big deal. Les.

Sterling chip Camden
Sterling chip Camden

We get our snail mail through a UPS store, so any mail arriving at our physical address is automatically junk. The same thing should go for your email address. Don't ever give out the one you really use, except to private contacts. When anybody else wants one, give them a different one that you never have to check.

SObaldrick
SObaldrick

but talking about phishing attempts reminds me of my first experience of phishing. It was in 1984. (Of course there was no such word as phishing then, to my knowledge.) I was working for a hitech company as a programmer. All our software development machines were maintained by the network services maintenance group (or whatever they were called). The developers only had access to the software that they needed to do their job. If a problem ever arose, we would have to call network services and have them come login with an admin account and fix whatever went wrong. This often meant hours of lost work time while we waited for network services to fix the machine. Now, as I said this was a very hitech company, which means that if you are a programmer there, you are pretty smart when it comes to computers. Any developer was equally capable of fixing their computer as any administrator. If only we had an admin account and password, we could save hours of development time whenever something went wrong. So a bunch of us devised a plan to get admin access to the network. Yep, you guessed it, we created a dummy login screen that would capture whatever was typed and then redisplay the 'real' login screen after sending out an error message .. and then called the helpdesk. Even to this day I still remember what the password was. Les.

SObaldrick
SObaldrick

What is so bad about giving a spammer your email address. I currently have 5335 emails in my spam gmail folder, and I clear them out regularly. If I want to get a list of 'good' email addresses, all I have to do is sign up for monster.com. What job seeker doesn't post their email address on a job board. I could think of 1000's of other examples of places to get 'good' email addresses from. That's equivalent to telling the post office, I'm not giving you my mailing address, because I don't want junk mail. Les.

chris
chris

Still not a direct threat per se, but that is the kind of thing people should at least be aware of. just like giving out info over the phone or even leaving a CC receipt on the table at a restaurant. May not be a direct threat, but knowing the kinds of things that "could" happen help people make more informed decisions. Thanks.

apotheon
apotheon

Are you incapable of setting a different default font for plain text viewing? "[i]if there is an HTML danger along the lines of some hack when the email is rendered or previewed or something, let me know.[/i]" Oh -- you mean like an image hosted on someone else's server, with a URL like this: <img src="http://www.example.com/image.jpg?u=39674320" /> That u=39674320 part might identify you with your email address when you access the image on the spammer's server, thus verifying a good email address that can then be later sold as part of a list of spammable or phishable addresses.