Gentoo Archives: gentoo-amd64

From: Eric Bliss <eric@×××××××××××.net>
To: gentoo-amd64@l.g.o
Subject: Re: [gentoo-amd64] [OT- html posts]
Date: Fri, 09 Dec 2005 22:18:59
In Reply to: RE: [gentoo-amd64] RE: Re: gcc compile failed after 2005.1-r1 instalation [OT- html posts] by Bob Young
On Friday 09 December 2005 01:14 pm, Bob Young wrote:
> >For those of us seriously concerned about security, > >that's a huge reason right there, altho admittedly, alone, the benefits > >might outweigh it, if a suitably secure parsing method can be found (and > >there is such a method, don't fetch any content not in the mail, don't > >render any active content, only text, formatting, and images, being a very > >good start). >
I should point out that even only rendering text, formatting and images is still not restrictive enough. The images themselves can often be part of the problem. I work with people who get spammed on a regular basis with emails that contain graphic visual content. They didn't ask for this kind of e-mail, they just get it because their e-mail addresses have to be quite public, and therefore easily harvestable by spam engines. Part of the problem is that while you can parse text for offensive content and filter it, the images that are often sent with HTML are something that can't be filtered ahead of time. It could be a screenshot that you asked for, or it could be a camera image that you really never wanted to see. Now suppose these e-mail accounts were for kids, rather than old professionals and it just gets worse. And once you have to blank out images as well, what are you really dealing with in the HTML mail that can't be handled by raw text? Also compare that with the extra room taken up by all of the HTML and there's no good reason to use it, especially on mailing lists like this (Which is where the major objection comes in). Also remember that for lists, it's not just a matter of tossing in a few extra lines of HTML to one person. An extra k or 2 of data to a single user is no big deal. But multiply that by, say, 1000 or more people on a list, per post, and it quickly starts adding up to become a serious bandwidth issue for the list server. In large part, it comes down to respecting the rules of the community that you're in. FLOSS lists and users date back to the very earliest days of the internet, and have very strong opinions about how things should be done. Not using HTML on mail to lists, not top-posting your replies in lists, and trimming parts of the message that don't relate to your reply are just part of what is expected. Ignore the rules, and the people are going to ignore you in return. Don't argue about why your way is better when it's in clear opposition to the people who make up the community, simply accept that they have reasons for doing things the way they do, and abide by those rules when you're in their home.
> >Others are free to continue their in our opinion misguided > >use, as long as they don't involve us, either in their mail, or in the > >DoSs that result when one of their HTML mail spread malware things gets > >going!
Well said. In other words - use HTML all you want anywhere else, just don't use it in my backyard.
> > Since many emails are already html, and there hasn't been any wide spread > "malware thing" in quite some time, you still don't seem to have a real > solid basis for your opinion, at least not one that's based on current > facts, and objective analysis. >
So, exactly what would you refer to the Sober Worm attack on Nov. 23 as??? 3 weeks ago is pretty damned recent. And as for "objective analysis"... How many spam filter rules are there that boil down to "It's got HTML/it's got loads of HTML in it - it's probably spam". I'd call that a fairly objective viewpoint.
> >( Had plain text > >remained the rule, all those infections wouldn't have happened, and I'd > >likely still be able to run my own mail server and connect to others > >directly, so YES, it has affected me!) >
Seconded! (Because I AM tasked with trying to run the mail server in addtion to every other technical aspect of our operation, and had to deal with that attack 3 weeks ago)
> If we all communicated using Morse code we would be safe also, we don't > because there are more convenient and effective methods. Do you allow html > to be rendered when you browse the web? If so, why is email more dangerous > when your email client can easily be configured to render html just as > safely as your browser? >
How's about because we can CHOOSE where we go when we browse the web, and we can change the settings that we use if we go to sites we don't trust. But, if you have to work at all with the public at large, you have to accept e-mail from people who's intentions are a complete mystery to you, because you can't know until you read it if it's a legitimate e-mail. Yes, you can filter out some things that are very obviously spam, but you can't stop everything. Sorry for this rant, it's just that I happen to strongly agree with the community here that HTML e-mail is a BAD THING - especially to FLOSS lists. -- Eric Bliss systems design and integration, CreativeCow.Net -- gentoo-amd64@g.o mailing list


Subject Author
RE: [gentoo-amd64] [OT- html posts] Bob Young <BYoung@××××××××××.com>