On Friday 09 December 2005 01:14 pm, Bob Young wrote:
> >For those of us seriously concerned about security,
> >that's a huge reason right there, altho admittedly, alone, the benefits
> >might outweigh it, if a suitably secure parsing method can be found (and
> >there is such a method, don't fetch any content not in the mail, don't
> >render any active content, only text, formatting, and images, being a very
> >good start).
I should point out that even only rendering text, formatting and images is
still not restrictive enough. The images themselves can often be part of the
problem. I work with people who get spammed on a regular basis with emails
that contain graphic visual content. They didn't ask for this kind of
e-mail, they just get it because their e-mail addresses have to be quite
public, and therefore easily harvestable by spam engines. Part of the
problem is that while you can parse text for offensive content and filter it,
the images that are often sent with HTML are something that can't be filtered
ahead of time. It could be a screenshot that you asked for, or it could be a
camera image that you really never wanted to see. Now suppose these e-mail
accounts were for kids, rather than old professionals and it just gets worse.
And once you have to blank out images as well, what are you really dealing
with in the HTML mail that can't be handled by raw text? Also compare that
with the extra room taken up by all of the HTML and there's no good reason to
use it, especially on mailing lists like this (Which is where the major
objection comes in).
Also remember that for lists, it's not just a matter of tossing in a few extra
lines of HTML to one person. An extra k or 2 of data to a single user is no
big deal. But multiply that by, say, 1000 or more people on a list, per
post, and it quickly starts adding up to become a serious bandwidth issue for
the list server.
In large part, it comes down to respecting the rules of the community that
you're in. FLOSS lists and users date back to the very earliest days of the
internet, and have very strong opinions about how things should be done. Not
using HTML on mail to lists, not top-posting your replies in lists, and
trimming parts of the message that don't relate to your reply are just part
of what is expected. Ignore the rules, and the people are going to ignore
you in return. Don't argue about why your way is better when it's in clear
opposition to the people who make up the community, simply accept that they
have reasons for doing things the way they do, and abide by those rules when
you're in their home.
> >Others are free to continue their in our opinion misguided
> >use, as long as they don't involve us, either in their mail, or in the
> >DoSs that result when one of their HTML mail spread malware things gets
Well said. In other words - use HTML all you want anywhere else, just don't
use it in my backyard.
> Since many emails are already html, and there hasn't been any wide spread
> "malware thing" in quite some time, you still don't seem to have a real
> solid basis for your opinion, at least not one that's based on current
> facts, and objective analysis.
So, exactly what would you refer to the Sober Worm attack on Nov. 23 as??? 3
weeks ago is pretty damned recent. And as for "objective analysis"... How
many spam filter rules are there that boil down to "It's got HTML/it's got
loads of HTML in it - it's probably spam". I'd call that a fairly objective
> >( Had plain text
> >remained the rule, all those infections wouldn't have happened, and I'd
> >likely still be able to run my own mail server and connect to others
> >directly, so YES, it has affected me!)
Seconded! (Because I AM tasked with trying to run the mail server in addtion
to every other technical aspect of our operation, and had to deal with that
attack 3 weeks ago)
> If we all communicated using Morse code we would be safe also, we don't
> because there are more convenient and effective methods. Do you allow html
> to be rendered when you browse the web? If so, why is email more dangerous
> when your email client can easily be configured to render html just as
> safely as your browser?
How's about because we can CHOOSE where we go when we browse the web, and we
can change the settings that we use if we go to sites we don't trust. But,
if you have to work at all with the public at large, you have to accept
e-mail from people who's intentions are a complete mystery to you, because
you can't know until you read it if it's a legitimate e-mail. Yes, you can
filter out some things that are very obviously spam, but you can't stop
Sorry for this rant, it's just that I happen to strongly agree with the
community here that HTML e-mail is a BAD THING - especially to FLOSS lists.
systems design and integration,
email@example.com mailing list