Very useful, thanks.
Graham
----- Original Message -----
From: "Phil Smith III" <li...@akphs.com>
Newsgroups: bit.listserv.ibm-main
To: <IBM-MAIN@bama.ua.edu>
Sent: Tuesday, February 02, 2010 10:38 PM
Subject: Re: OT (?): Are HTML emails unsafe
Steve Comstock wrote:
For years now I've configured my mail client to not
accept HTML emails. The common wisdom, as I percieved
it anyway, has been that HTML emails and various
kinds of attachements (esp. Word documents) were prime
paths for viruses to attack your system.
I seem to be getting a lot more HTML emails these days
and I got to wondering if technology has changed enough
that the probability of this kind of email being
malicious has dropped to extremely small.
There's nothing inherent about HTML that makes it dangerous. The risks,
such as they are:
1) About a decade ago, Outlook 97 would let HTML run scripted things that
were theoretically unsafe. My IT manager sent me a note which, when
opened, played a WAV file which said VERY LOUDLY, "Hey everybody! I'm
looking at pr0n over here!" Funny, but of course in certain circumstances,
very not. This was fixed LONG ago, quite possibly even as a patch to
Outlook 97 (I saved that old note, and it no longer does any such thing).
It's worth noting that many folks decided that Outlook was "dangerous"
based on this ancient version; using that logic, Firefox is probably worse
than IE, since early Netscape wasn't exactly the most secure browser ever.
2) HTML can embed graphics, which can be not-work-safe. Graphics can also
be "web bugs", which can tell the server from which the graphic is fetched
the identify of the note that fetched it, using a customized URL such as:
http://graphics.server.com/webbug.gif?userid=...@yourdomain.com
The webserver is then configured to serve the graphic (or even not,
actually) and it knows -- since it sent only ONE note with that precise
query string -- who read the note (well, it thinks it does, anyway;
obviously it could be postmas...@yourdomain.com or equivalent, or various
'bots, but). This is semi-evil with spam, as it can telegraph "Hey, we got
a live one!" when email is sent using a dictionary attack. Solution: don't
open spam, and don't load graphics by default (any modern email client
makes loading graphics optional for senders who have not been marked as
"safe").
3) Links in HTML could be bogus -- it's easy to say "Click on this URL:
www.yourbank.com" and have the visible link not match the actual URL.
Again, modern mail clients deal with this by marking such links as
invalid, or warning in some other way.
4) Finally, I suppose comments in HTML could contain unsafe words that
will get you in trouble if you have net-nanny software. But it's incoming
mail, not your fault; no company can reasonably penalize you on that
basis!
The bottom line is that HTML email is here to stay. Folks whine about it,
but the scales tipped a while ago, and too many senders use it for it to
be reasonable to NOT read it. Yes, there are folks who do; they're missing
out on some things, alas. I get some lists as Digests, and the HTML parts
aren't usable due to the Digest format -- and outnumber the plaintext
parts.
My $0.02:
Using good antivirus protection, practicing smart email hygiene, and
having one (or several) layers of good spam filtering will keep you out of
trouble, and you can enjoy the benefits of HTML email with the rest of the
world.
Oh, and if you use Outlook, try Autopreview (NOT the preview pane, the
thing that shows you the first couple of lines of unread/all email even
before you open it), which is not only nice but can also help you detect
spam. Autopreview only looks at the non-HTML MIME-part, so (a) it avoids
even the remaining, minor risks and (b) when you *don't* see an
Autopreview on a note, you know that there is only an HTML MIME-part (or
the body is empty). This provides yet another layer of early warning that
this might be a dangerous message, either because what the Autopreview
shows you tells you the note isn't interesting, or because there IS no
Autopreview when you suspect there should be.
I've built these opinions over the last 30 years of email (not that I had
to worry about spam for the first 15 or so!). I currently receive 200-300
notes a day. I have three layers of spam filtering:
- my ISP marks things THEY think are SPAM with a keyword in the Subject:
- Outlook does its silly (and almost useless) filtering
- I have a Bayesian filter that I've trained (K9, www.keir.net, runs as a
POP proxy), which adds a header that I can filter on
Rules tag any incoming notes that have been marked as spam either by my
ISP or my Bayesian filter with specific categories, and then move them to
a spam folder for later analysis.
One of the nice things about the Bayesian filter is that it lets me look
at the raw note, so if I'm really suspicious of one, I can check it out
safely.
This might sound cumbersome -- but it really isn't. I glance a the spam
folder a couple of times a day; with a customized view that includes who
the note was sent *TO*, I can easily eliminate obvious spam. The one or
two notes left are then equally easy to handle. I get a couple of false
positives a week, tops (other than my ISP, who is stupid about some
senders), and don't believe I've missed a "real" note in a while. When I
delete that spam, it goes into a separate .PST file anyway, so if I later
suspect I missed something, I can go hunt it down.
I'm using Outlook 2007 (updated from 2003, updated from 2000, updated from
97). Thunderbird would be equally easy to do all of this with; Eudora too,
although it's a pretty weak excuse for a client nowadays. And I'm sure
there are others. Outlook Express...not so much, it's free and worth every
penny.
OK, I've blathered on long enough. Hope this is useful.
...phsiii
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
__________ Information from ESET NOD32 Antivirus, version of virus
signature database 4831 (20100203) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
__________ Information from ESET NOD32 Antivirus, version of virus signature
database 4831 (20100203) __________
The message was checked by ESET NOD32 Antivirus.
http://www.eset.com
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@bama.ua.edu with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html