Gentoo Logo
Gentoo Spaceship




Note: Due to technical difficulties, the Archives are currently not up to date. GMANE provides an alternative service for most mailing lists.
c.f. bug 424647
List Archive: gentoo-amd64
Navigation:
Lists: gentoo-amd64: < Prev By Thread Next > < Prev By Date Next >
Headers:
To: gentoo-amd64@g.o
From: Eric Bliss <eric@...>
Subject: Re: [OT- html posts]
Date: Fri, 9 Dec 2005 14:16:51 -0800
On Friday 09 December 2005 01:14 pm, Bob Young wrote:
> >For those of us seriously concerned about security,
> >that's a huge reason right there, altho admittedly, alone, the benefits
> >might outweigh it, if a suitably secure parsing method can be found (and
> >there is such a method, don't fetch any content not in the mail, don't
> >render any active content, only text, formatting, and images, being a very
> >good start).
> 

I should point out that even only rendering text, formatting and images is 
still not restrictive enough.  The images themselves can often be part of the 
problem.  I work with people who get spammed on a regular basis with emails 
that contain graphic visual content.  They didn't ask for this kind of 
e-mail, they just get it because their e-mail addresses have to be quite 
public, and therefore easily harvestable by spam engines.  Part of the 
problem is that while you can parse text for offensive content and filter it, 
the images that are often sent with HTML are something that can't be filtered 
ahead of time.  It could be a screenshot that you asked for, or it could be a 
camera image that you really never wanted to see.  Now suppose these e-mail 
accounts were for kids, rather than old professionals and it just gets worse.  
And once you have to blank out images as well, what are you really dealing 
with in the HTML mail that can't be handled by raw text?  Also compare that 
with the extra room taken up by all of the HTML and there's no good reason to 
use it, especially on mailing lists like this (Which is where the major 
objection comes in).

Also remember that for lists, it's not just a matter of tossing in a few extra 
lines of HTML to one person.  An extra k or 2 of data to a single user is no 
big deal.  But multiply that by, say, 1000 or more people on a list, per 
post, and it quickly starts adding up to become a serious bandwidth issue for 
the list server.

In large part, it comes down to respecting the rules of the community that 
you're in.  FLOSS lists and users date back to the very earliest days of the 
internet, and have very strong opinions about how things should be done.  Not 
using HTML on mail to lists, not top-posting your replies in lists, and 
trimming parts of the message that don't relate to your reply are just part 
of what is expected.  Ignore the rules, and the people are going to ignore 
you in return.  Don't argue about why your way is better when it's in clear 
opposition to the people who make up the community, simply accept that they 
have reasons for doing things the way they do, and abide by those rules when 
you're in their home.

> >Others are free to continue their in our opinion misguided
> >use, as long as they don't involve us, either in their mail, or in the
> >DoSs that result when one of their HTML mail spread malware things gets
> >going!

Well said.  In other words - use HTML all you want anywhere else, just don't 
use it in my backyard.

> 
> Since many emails are already html, and there hasn't been any wide spread
> "malware thing" in quite some time, you still don't seem to have a real
> solid basis for your opinion, at least not one that's based on current
> facts, and objective analysis.
> 

So, exactly what would you refer to the Sober Worm attack on Nov. 23 as???  3 
weeks ago is pretty damned recent.  And as for "objective analysis"...  How 
many spam filter rules are there that boil down to "It's got HTML/it's got 
loads of HTML in it - it's probably spam".  I'd call that a fairly objective 
viewpoint.

> >( Had plain text
> >remained the rule, all those infections wouldn't have happened, and I'd
> >likely still be able to run my own mail server and connect to others
> >directly, so YES, it has affected me!)
> 

Seconded!  (Because I AM tasked with trying to run the mail server in addtion 
to every other technical aspect of our operation, and had to deal with that 
attack 3 weeks ago)

> If we all communicated using Morse code we would be safe also, we don't
> because there are more convenient and effective methods. Do you allow html
> to be rendered when you browse the web? If so, why is email more dangerous
> when your email client can easily be configured to render html just as
> safely as your browser?
> 

How's about because we can CHOOSE where we go when we browse the web, and we 
can change the settings that we use if we go to sites we don't trust.  But, 
if you have to work at all with the public at large, you have to accept 
e-mail from people who's intentions are a complete mystery to you, because 
you can't know until you read it if it's a legitimate e-mail.  Yes, you can 
filter out some things that are very obviously spam, but you can't stop 
everything.

Sorry for this rant, it's just that I happen to strongly agree with the 
community here that HTML e-mail is a BAD THING - especially to FLOSS lists.

-- 
Eric Bliss
systems design and integration,
CreativeCow.Net
-- 
gentoo-amd64@g.o mailing list


Replies:
RE: [OT- html posts]
-- Bob Young
References:
RE: RE: Re: gcc compile failed after 2005.1-r1 instalation [OT- html posts]
-- Bob Young
Navigation:
Lists: gentoo-amd64: < Prev By Thread Next > < Prev By Date Next >
Previous by thread:
RE: RE: Re: gcc compile failed after 2005.1-r1 instalation [OT- html posts]
Next by thread:
RE: [OT- html posts]
Previous by date:
RE: RE: Re: gcc compile failed after 2005.1-r1 instalation [OT- html posts]
Next by date:
Firefox and Flash


Updated Jun 17, 2009

Summary: Archive of the gentoo-amd64 mailing list.

Donate to support our development efforts.

Copyright 2001-2013 Gentoo Foundation, Inc. Questions, Comments? Contact us.