html is evil (was Re: Ignore this- it's just a Test Message

Don Quixote de la Mancha quixote at dulcineatech.com
Sat Oct 8 05:38:35 EDT 2011 

On Sat, Oct 8, 2011 at 2:01 AM, Liz <edodd at billiau.net> wrote:
>> But I hate html-mail, only phish- and enlarger-spams need them

If that's the case why do the message editors in both Firefox and
GMail default to HTML Mode?

It's because many of the people who send email expect to be able to
format their mail and would not understand what the problem is if
their mailers didn't come set up that way.

A simple solution would be for HTML mailers to restrict the kinds of
markup that would be accepted, and for SMTP servers to strip out
markup that could be dangerous.  For example one can also include
Javascript in email, and security holes in Javascript interpreters
enable email to 0wnz0r your mail reader.

SMTP servers should also strip <img> tags whose URLs point to images
on servers, rather than the images being included directly in the
message.  I'm not sure that's even possible with HTML mail but it
should be if it isn't.  Having images served rather than included with
the message allows spammers to know that you read their messages, by
encoding the recipient's address in the URL of the image.

If all the SMTP servers were to strip images that way, users would
complain for a while, but if one got the message out that the fix is
to just include messages with the email rather than from a server,
most people would agree that stripping served images was the right
thing to do.

Far better than HTML email would be a markup language that allowed
basic formatting but was carefully designed to make phishing and
hacking via email impossible.

If we're going to continue to use HTML mail, mail readers could cut
down on phishing quite a bit by displaying the hostname of all links
just below the link:

   Greetings from Bank of America.  We need you to update your account
information.  Please
   <a href="http://www.mafiaa.org/password-stealer.html">login to your
account</a> to update your profile.  Thank you for your help! -- B of
A

   Clicking the above link will take you to: www.mafia.org
   Please be certain that you really want to visit the above site
before clicking the link!  It may be a scam.

I ALWAYS hover my mouse over links in HTML mail, but if I also have
email downloading in Thunderbird, I can't see the link text because
the email download status is display in the same place.

Ever Faithful,

Don Quixote
-- 
Don Quixote de la Mancha
Dulcinea Technologies Corporation
Software of Elegance and Beauty
http://www.dulcineatech.com
quixote at dulcineatech.com

More information about the gnucash-user mailing list