1 |
On Friday 09 December 2005 01:14 pm, Bob Young wrote: |
2 |
> >For those of us seriously concerned about security, |
3 |
> >that's a huge reason right there, altho admittedly, alone, the benefits |
4 |
> >might outweigh it, if a suitably secure parsing method can be found (and |
5 |
> >there is such a method, don't fetch any content not in the mail, don't |
6 |
> >render any active content, only text, formatting, and images, being a very |
7 |
> >good start). |
8 |
> |
9 |
|
10 |
I should point out that even only rendering text, formatting and images is |
11 |
still not restrictive enough. The images themselves can often be part of the |
12 |
problem. I work with people who get spammed on a regular basis with emails |
13 |
that contain graphic visual content. They didn't ask for this kind of |
14 |
e-mail, they just get it because their e-mail addresses have to be quite |
15 |
public, and therefore easily harvestable by spam engines. Part of the |
16 |
problem is that while you can parse text for offensive content and filter it, |
17 |
the images that are often sent with HTML are something that can't be filtered |
18 |
ahead of time. It could be a screenshot that you asked for, or it could be a |
19 |
camera image that you really never wanted to see. Now suppose these e-mail |
20 |
accounts were for kids, rather than old professionals and it just gets worse. |
21 |
And once you have to blank out images as well, what are you really dealing |
22 |
with in the HTML mail that can't be handled by raw text? Also compare that |
23 |
with the extra room taken up by all of the HTML and there's no good reason to |
24 |
use it, especially on mailing lists like this (Which is where the major |
25 |
objection comes in). |
26 |
|
27 |
Also remember that for lists, it's not just a matter of tossing in a few extra |
28 |
lines of HTML to one person. An extra k or 2 of data to a single user is no |
29 |
big deal. But multiply that by, say, 1000 or more people on a list, per |
30 |
post, and it quickly starts adding up to become a serious bandwidth issue for |
31 |
the list server. |
32 |
|
33 |
In large part, it comes down to respecting the rules of the community that |
34 |
you're in. FLOSS lists and users date back to the very earliest days of the |
35 |
internet, and have very strong opinions about how things should be done. Not |
36 |
using HTML on mail to lists, not top-posting your replies in lists, and |
37 |
trimming parts of the message that don't relate to your reply are just part |
38 |
of what is expected. Ignore the rules, and the people are going to ignore |
39 |
you in return. Don't argue about why your way is better when it's in clear |
40 |
opposition to the people who make up the community, simply accept that they |
41 |
have reasons for doing things the way they do, and abide by those rules when |
42 |
you're in their home. |
43 |
|
44 |
> >Others are free to continue their in our opinion misguided |
45 |
> >use, as long as they don't involve us, either in their mail, or in the |
46 |
> >DoSs that result when one of their HTML mail spread malware things gets |
47 |
> >going! |
48 |
|
49 |
Well said. In other words - use HTML all you want anywhere else, just don't |
50 |
use it in my backyard. |
51 |
|
52 |
> |
53 |
> Since many emails are already html, and there hasn't been any wide spread |
54 |
> "malware thing" in quite some time, you still don't seem to have a real |
55 |
> solid basis for your opinion, at least not one that's based on current |
56 |
> facts, and objective analysis. |
57 |
> |
58 |
|
59 |
So, exactly what would you refer to the Sober Worm attack on Nov. 23 as??? 3 |
60 |
weeks ago is pretty damned recent. And as for "objective analysis"... How |
61 |
many spam filter rules are there that boil down to "It's got HTML/it's got |
62 |
loads of HTML in it - it's probably spam". I'd call that a fairly objective |
63 |
viewpoint. |
64 |
|
65 |
> >( Had plain text |
66 |
> >remained the rule, all those infections wouldn't have happened, and I'd |
67 |
> >likely still be able to run my own mail server and connect to others |
68 |
> >directly, so YES, it has affected me!) |
69 |
> |
70 |
|
71 |
Seconded! (Because I AM tasked with trying to run the mail server in addtion |
72 |
to every other technical aspect of our operation, and had to deal with that |
73 |
attack 3 weeks ago) |
74 |
|
75 |
> If we all communicated using Morse code we would be safe also, we don't |
76 |
> because there are more convenient and effective methods. Do you allow html |
77 |
> to be rendered when you browse the web? If so, why is email more dangerous |
78 |
> when your email client can easily be configured to render html just as |
79 |
> safely as your browser? |
80 |
> |
81 |
|
82 |
How's about because we can CHOOSE where we go when we browse the web, and we |
83 |
can change the settings that we use if we go to sites we don't trust. But, |
84 |
if you have to work at all with the public at large, you have to accept |
85 |
e-mail from people who's intentions are a complete mystery to you, because |
86 |
you can't know until you read it if it's a legitimate e-mail. Yes, you can |
87 |
filter out some things that are very obviously spam, but you can't stop |
88 |
everything. |
89 |
|
90 |
Sorry for this rant, it's just that I happen to strongly agree with the |
91 |
community here that HTML e-mail is a BAD THING - especially to FLOSS lists. |
92 |
|
93 |
-- |
94 |
Eric Bliss |
95 |
systems design and integration, |
96 |
CreativeCow.Net |
97 |
-- |
98 |
gentoo-amd64@g.o mailing list |