| 1 |
On Friday 09 December 2005 01:14 pm, Bob Young wrote: |
| 2 |
> >For those of us seriously concerned about security, |
| 3 |
> >that's a huge reason right there, altho admittedly, alone, the benefits |
| 4 |
> >might outweigh it, if a suitably secure parsing method can be found (and |
| 5 |
> >there is such a method, don't fetch any content not in the mail, don't |
| 6 |
> >render any active content, only text, formatting, and images, being a very |
| 7 |
> >good start). |
| 8 |
> |
| 9 |
|
| 10 |
I should point out that even only rendering text, formatting and images is |
| 11 |
still not restrictive enough. The images themselves can often be part of the |
| 12 |
problem. I work with people who get spammed on a regular basis with emails |
| 13 |
that contain graphic visual content. They didn't ask for this kind of |
| 14 |
e-mail, they just get it because their e-mail addresses have to be quite |
| 15 |
public, and therefore easily harvestable by spam engines. Part of the |
| 16 |
problem is that while you can parse text for offensive content and filter it, |
| 17 |
the images that are often sent with HTML are something that can't be filtered |
| 18 |
ahead of time. It could be a screenshot that you asked for, or it could be a |
| 19 |
camera image that you really never wanted to see. Now suppose these e-mail |
| 20 |
accounts were for kids, rather than old professionals and it just gets worse. |
| 21 |
And once you have to blank out images as well, what are you really dealing |
| 22 |
with in the HTML mail that can't be handled by raw text? Also compare that |
| 23 |
with the extra room taken up by all of the HTML and there's no good reason to |
| 24 |
use it, especially on mailing lists like this (Which is where the major |
| 25 |
objection comes in). |
| 26 |
|
| 27 |
Also remember that for lists, it's not just a matter of tossing in a few extra |
| 28 |
lines of HTML to one person. An extra k or 2 of data to a single user is no |
| 29 |
big deal. But multiply that by, say, 1000 or more people on a list, per |
| 30 |
post, and it quickly starts adding up to become a serious bandwidth issue for |
| 31 |
the list server. |
| 32 |
|
| 33 |
In large part, it comes down to respecting the rules of the community that |
| 34 |
you're in. FLOSS lists and users date back to the very earliest days of the |
| 35 |
internet, and have very strong opinions about how things should be done. Not |
| 36 |
using HTML on mail to lists, not top-posting your replies in lists, and |
| 37 |
trimming parts of the message that don't relate to your reply are just part |
| 38 |
of what is expected. Ignore the rules, and the people are going to ignore |
| 39 |
you in return. Don't argue about why your way is better when it's in clear |
| 40 |
opposition to the people who make up the community, simply accept that they |
| 41 |
have reasons for doing things the way they do, and abide by those rules when |
| 42 |
you're in their home. |
| 43 |
|
| 44 |
> >Others are free to continue their in our opinion misguided |
| 45 |
> >use, as long as they don't involve us, either in their mail, or in the |
| 46 |
> >DoSs that result when one of their HTML mail spread malware things gets |
| 47 |
> >going! |
| 48 |
|
| 49 |
Well said. In other words - use HTML all you want anywhere else, just don't |
| 50 |
use it in my backyard. |
| 51 |
|
| 52 |
> |
| 53 |
> Since many emails are already html, and there hasn't been any wide spread |
| 54 |
> "malware thing" in quite some time, you still don't seem to have a real |
| 55 |
> solid basis for your opinion, at least not one that's based on current |
| 56 |
> facts, and objective analysis. |
| 57 |
> |
| 58 |
|
| 59 |
So, exactly what would you refer to the Sober Worm attack on Nov. 23 as??? 3 |
| 60 |
weeks ago is pretty damned recent. And as for "objective analysis"... How |
| 61 |
many spam filter rules are there that boil down to "It's got HTML/it's got |
| 62 |
loads of HTML in it - it's probably spam". I'd call that a fairly objective |
| 63 |
viewpoint. |
| 64 |
|
| 65 |
> >( Had plain text |
| 66 |
> >remained the rule, all those infections wouldn't have happened, and I'd |
| 67 |
> >likely still be able to run my own mail server and connect to others |
| 68 |
> >directly, so YES, it has affected me!) |
| 69 |
> |
| 70 |
|
| 71 |
Seconded! (Because I AM tasked with trying to run the mail server in addtion |
| 72 |
to every other technical aspect of our operation, and had to deal with that |
| 73 |
attack 3 weeks ago) |
| 74 |
|
| 75 |
> If we all communicated using Morse code we would be safe also, we don't |
| 76 |
> because there are more convenient and effective methods. Do you allow html |
| 77 |
> to be rendered when you browse the web? If so, why is email more dangerous |
| 78 |
> when your email client can easily be configured to render html just as |
| 79 |
> safely as your browser? |
| 80 |
> |
| 81 |
|
| 82 |
How's about because we can CHOOSE where we go when we browse the web, and we |
| 83 |
can change the settings that we use if we go to sites we don't trust. But, |
| 84 |
if you have to work at all with the public at large, you have to accept |
| 85 |
e-mail from people who's intentions are a complete mystery to you, because |
| 86 |
you can't know until you read it if it's a legitimate e-mail. Yes, you can |
| 87 |
filter out some things that are very obviously spam, but you can't stop |
| 88 |
everything. |
| 89 |
|
| 90 |
Sorry for this rant, it's just that I happen to strongly agree with the |
| 91 |
community here that HTML e-mail is a BAD THING - especially to FLOSS lists. |
| 92 |
|
| 93 |
-- |
| 94 |
Eric Bliss |
| 95 |
systems design and integration, |
| 96 |
CreativeCow.Net |
| 97 |
-- |
| 98 |
gentoo-amd64@g.o mailing list |
Archives