Ron Currier writes:
> There have been several questions over the last couple of weeks about
> displaying external images in HTML formatted e-mails and the answer
> is always that it is a security risk. Could someone (Sam?) please
> explain where the risk is? The browser will fetch the URL and attempt
> to render the file based on the file extension.
... Along with any trojan cookies, or rogue Javascript code. Not to mention
the remote web server logging your transfer, thus, with carefully-crafted
HTML, the sender will know -- without your knowledge -- whether and when the
HTML E-mail has been read.
> The renderer will fail
> if it isn't a valid/known image format. The file may be left in the
> browser's cache, but unless you are in the habit of attempting to
> manually execute random files in your cache, I don't see where the
> risk is.
>
> ======================================================================
> Ron Currier PublishMail, LLC
> Chief Technical Officer www.publishmail.com
> Phone: 978.373.9025 Fax: 978-373-7815
>
Item #18 in your organization's FAQ mentions one privacy-invading practice
which is prevented by blocking external images. I think that you may
already know all the tricks that can be pulled with web bugs, and other
kinds of funny business, in HTML-formatted E-mail messages.
I know all about them too.
--
Sam
