HTML (javascript) in email can be used for harmful intent:
1) XSS tunneling
2) URI encoding crafted info/scripts
3) Virus [Microsoft]
4) Worms [RPC]
Most of these issues are trivially scrubbed with clamav (daily updated
signatures based on reported virus), spamassassin on the MTA
(sendmail,exim,postmaster, commercial versions of mail daemons) on both the
sending and recieving side along with 2 tons of spam.
Surfing to Facebook, Myspace, YouTube, Flickr, and other sites that accept user
submitted content is also dangerous. Surfing (or accessing IRC) from root or
another escalated permission user is doubly foolhardy.
Using older Firefox, RealPlayer, Adobe Flash, Opening PDF's and displaying
jpg's (all graphics are executable - like PDF's - which can trivially be
integrated with scripts) are also dangerous.
>From my way of thinking, that's pretty much everything, therefore the only
>defense is to run the most recently patched Browser, use a mail and attachment
>scanner or web based portal (like Gmail) and access mail from a non production
>system,
http://wiki.obnosis.com | http://hackfest.obnosis.com | http://nuke.obnosis.com
PLUG HACKFESTS - http://uat.edu Second Saturday of Each Month Noon - 3PM
Date: Thu, 29 Jan 2009 08:45:04 -0700
Subject: Re: OT: HTML Emails -- Re: Other than frys where would you get server
hardware
From: lthiels...@gmail.com
To: plug-discuss@lists.plug.phoenix.az.us
On Thu, Jan 29, 2009 at 7:31 AM, Judd Pickell <pick...@gmail.com> wrote:
Not everyone wants to have change a setting while just trying to view their
emails. Although to be fair I use gmail so I don't have to be concerned about
it. But I am sure there are people on this list still using Pine or equiv,
since that is and can be done via commandline like ssh from a phone.
Maybe those folks should just go back to using carrier pidgeons. Alternatives
could include changing to using an email client that would support THEIR need
to block or convert HTML to text. Expecting the rest of the world to change to
do what they want is just wrong and ain't gonna happen.
I am curious, how many truly html based emails do we get on this list? I would
think lately we maybe recieving more, given the link structures in some emails;
so maybe it is a concern now?
I don't know but I did change to using plain text for some time because of the
desires of certain people here. The loss of functionality was bothersome so I
finally switched back to the rich text mode of gmail.
I do understand that html CAN be used for harmful intent but then what can't?
If you want to fear technology, don't use it!
Sincerely,
Judd
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Man is the only animal that laughs and weeps, for he is the only animal that is
struck with the difference between what things are and what they ought to be.
- William Hazlitt
_________________________________________________________________
Windows Liveā¢: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_012009
---------------------------------------------------
PLUG-discuss mailing list - PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
