[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: I was auto-outed by an IMG tag in HTML spam




>   at 03:00 AM, Anonymous <[email protected]> said:
>>Use mail readers that don't automatically process HTML and
>>connect to image servers, accept cookies, or run javascripts.  You are
>>being watched by tricky defective, er, detective types. es.
>
>Several things here:
>
At 02:32 AM 2/18/98 -0500, William H. Geiger III wrote:
>1. HTML in mail:
>There is just no place for this crap in e-mail. If multipart/alternative
>is used it is tolarable but pure text/html messages go into the bitbucket
>with a autoreply explaining to the poster the error of their ways. :)

HTML is a fine format for email.  It's ASCII readable, and supports
content description tags that the user's mail reader can render as
bold/italic/underline/header-levels//color/etc.  It's far superior
to using bloated undocumented Microsoft Word attachments.
95% of the HTML email I get IS spam, but that's a separate problem :-)
(After all, SPAMMERs like bright colored blinking attention-getting mail.)

>2. AutoProcessing of Attachments:
>This is *allways* a BadThing(TM). Not only is it an obvious security risk
>it is a PITA for the user. I would be rally pissed if my mailer launched a
>V-Card app everytime someone thought it was a GoodThing(TM) to add these
>attachments to every message they sent out.

>3. AutoDownloading of Data:
>I imagine what happend here is the internal logic for N$ mailreader when
>processing a html/text e-mail message is to treat it just like a WebPage
>and processes it accordingly.
>IMHO a mail client that is going out to an external site to DL data wether
>it be part of a html/text message or Message/External-Body the mailer
>should prompt the user on wether or not he wishes to retreive the data.

Doesn't even need a prompt - a basic missing-picture icon is fine,
with a load-images command somewhere.  While it's not as dangerous as
auto-processing, autodownloading is annoying, and can be both a
security risk (the auto-outing problem) and a denial-of-service risk.

Needs to be either off by default or not there at all.

>My recomendations is to dump the Netscape garbage and get a real e-mail
>client. Netsacpe has done a good job at screwing up the web we really
>don't need the same favor from them with e-mail.

Netscape mail is adequate for many people, just as Eudora is.
Newer versions are pretty bloated, but including S/MIME mail encryption
for everybody is a Good Thing.
				Thanks! 
					Bill
Bill Stewart, [email protected]
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639