Software

A practical example of why HTML e-mail is a bad idea

Viewing emails without rendering HTML formatted content can be a simple, easy, and effective security technique.

I received a phishing email the other day, and it reminded me why I use mutt as my mail user agent. The headers and text of the email look like this:

Delivered-To: unknown Envelope-to: me@example.com Delivery-date: Wed, 11 Feb 2009 09:45:07 -0700 Reply-To: From: "service@paypal.com" Subject: Account Expired ! Please renew your account ! Date: Wed, 11 Feb 2009 11:48:20 -0500 X-Priority: 1 X-MSMail-Priority: High X-Mailer: Microsoft Outlook Express 6.00.2600.0000 X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000 Bcc: X-OriginalArrivalTime: 11 Feb 2009 16:45:05.0698 (UTC) FILETIME=[17964020:01C98C68] X-user: ::::0.0.0.0:host.example.net:::::: <html> <head> <meta http-equiv="Content-Language" content="en-us"> </meta><meta http-equiv="Content-Type" content="text/html; charset=windows-1252"> <title></title> </meta></head> <body> <font face="Arial, Helvetica, sans-serif" size="2">Dear Member,<br /> <br /> Your PayPal account has expired. <br /> You must renew it immediately or your account will be closed. <br /> If you intend to use this service in the future, you must take action at once!<br /> <br />

To continue <a href="http://example.org/files/liaz/index.php">click here</a>, login to your PayPal account and follow the steps.<br /> <br />

Thank you for using PayPal!<br /> The PayPal Team<br /> <br /> </font><font face="Arial, Helvetica, sans-serif" size="2">Please do not reply to this email. This mailbox is not monitored and you will not receive a respons. For assistence, log in to your PayPal<br /> account and click the Help link located in the top right corner of any PayPal page.</font><font face="Arial, Helvetica, sans-serif" size="2"><br /> <br /> PayPal Email ID PP3573</font> </body> </html>

Obviously, I have changed all the domain names and IP addresses (other than PayPal's domain name) to protect my privacy and to protect any of you from accidentally visiting a phishing site. I don't want my readers getting infected because of my articles, after all.

The highlighted snippet contains a link. If you look at it closely, you'll notice that's not a PayPal URL in the link — something you wouldn't necessarily notice if you viewed the email with HTML rendered, which would just look like this:

spam email: rendered

This isn't exactly the cleverest phishing attempt in the world. It contains spelling errors, and targets something that most security-aware people will immediately recognize as a common subject of phishing e-mails. A more well thought out attempt might fool someone who doesn't habitually look at the plain text of e-mails, however.

In general, legitimate emails with HTML formatting come with a plain text version as well these days. When signing up for mailing lists and other mass-notifications, it is almost always possible to choose whether you get emails in plain text or HTML form. The exceptions are almost always phishing emails. Some people may get more HTML formatted emails than others, of course, but for most of us there really isn't any need to render HTML for all emails. In my case, in fact, HTML formatting is a very accurate predictor that an email I receive is unwanted, and I use HTML formatting as part of my spam filtering criteria.

In my list of basic email security tips from almost a year ago, I mentioned that one should avoid letting HTML render in your email client. Take this as an object lesson in the kind of threat HTML e-mails can present.

About

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.

Editor's Picks