OT: Re: html is evil (was Re: Ignore this- it's just a Test Message
Geert Janssens
janssens-geert at telenet.be
Sat Oct 8 06:00:52 EDT 2011
On zaterdag 8 oktober 2011, Don Quixote de la Mancha wrote:
> A simple solution would be for HTML mailers to restrict the kinds of
> markup that would be accepted, and for SMTP servers to strip out
> markup that could be dangerous. For example one can also include
> Javascript in email, and security holes in Javascript interpreters
> enable email to 0wnz0r your mail reader.
>
> SMTP servers should also strip <img> tags whose URLs point to images
> on servers, rather than the images being included directly in the
> message. I'm not sure that's even possible with HTML mail but it
> should be if it isn't. Having images served rather than included with
> the message allows spammers to know that you read their messages, by
> encoding the recipient's address in the URL of the image.
>
> If all the SMTP servers were to strip images that way, users would
> complain for a while, but if one got the message out that the fix is
> to just include messages with the email rather than from a server,
> most people would agree that stripping served images was the right
> thing to do.
I manage a mail server myself and can tell you this solution doesn't work
either.
For starters: users can digitally sign their mails to guarantee the recipient
gets the message unaltered. Having a mailserver strip some unwanted content
invalidates the message signature. And guess what happens in a spam filter
with an invalid signature ? The spam score is increased and the recipient gets
a big red scary warning that his message content has been tampered with. This
message would be more scary to the end user than the benefit the stripping
would bring in my opinion.
On the mail system level you have similar techniques that require the message
to remain unaltered. Messing with the message body there is a sure way to trip
up spam filters.
Geert
More information about the gnucash-user
mailing list