<<< Date Index >>>     <<< Thread Index >>>

HTML email, was Re: reading color quoted replies



On Thu, Feb 01, 2007 at 03:59:51PM -0500, Marc Vaillant wrote:
> This just isn't realistic.  What sort of view of mutt do you think an
> outlook user (potential mutt user) is going to get if I tell them "Hey
> check out this great text based MUA that I have... only thing is,  you
> know that feature that everyone in the office loves to use with their
> clients, well you have to tell them not to use it."

Disclaimer: I am a security enthusiast

I would say your best angle is a security angle.  See if you can get
someone with the authority to recognize that reading your email with a
web browser and/or sending HTML poses a threat to the security of the
company and the users who don't know better.

If they don't know what phishing is, explain it to them.

Be sure you communicate how HTML rendering (and especially javascript)
have capabilities to confuse and mislead the user.

Further, say that email worked fine with no phishing incidents for a
good 20 years before HTML came along.  Do you think HTML email is so
important that the Internet did without it for 20 years?

If the person needs to send an attachment, that's fine.  That takes
care of any argument about images.  While the content of an attachment
may not be obvious from its filename (a book and its cover), at least
you know

1) Who sent it (modulo sender spoofing; HTML can only make it worse)
2) That it is an attachment
3) That you are downloading and/or executing that attachment.

If they have any doubts about the misleading potential of overly
complex formats like HTML and all the active crap that it can contain,
I'll be happy to convince them.  Just send me written permission,
your email address, and view each email, then email me and tell me
what they did.  Then I'll show you what you didn't know they did.
You will, however, be on your own when it comes to cleaning up the
resulting mess.

You can see a harmless example of many of them by going to this:

http://www.digicrime.com/

(NOTE: Browsing this site will cause all sorts of surprising behavior,
including sending emails from your machine).

If you need some "argument by authority", I point you to the fact that
the DoD banned the use of HTML email and OWA:

http://www.fcw.com/article97178-12-22-06-Web

On a personal level, you can always create an autoresponder that says
something like, "I'm sorry, but I was expecting an email from you and
instead I got a web page.  I do not use a web browser to read email,
so I cannot view this.  If you wish to communicate by email, please
try sending one."

> Yes, but equally sad are those who waste their lives pipe dreaming.
> Having enough foresight to know which battles will bring gain sorts the
> successful from the unsuccessful.

I hear the same arguments about using Windows instead of other OSes.
-- 
The driving force behind innovation is sublimation.
-><- <URL:http://www.subspacefield.org/~travis/>
For a good time on my UBE blacklist, email john@xxxxxxxxxxxxxxxxxx

Attachment: pgpyJeMFrb6cX.pgp
Description: PGP signature