OT: HTML Email Security
Lisa Kachold
lisakachold at obnosis.com
Thu Jan 29 09:27:03 MST 2009
HTML (javascript) in email can be used for harmful intent:
1) XSS tunneling
2) URI encoding crafted info/scripts
3) Virus [Microsoft]
4) Worms [RPC]
Most of these issues are trivially scrubbed with clamav (daily updated signatures based on reported virus), spamassassin on the MTA (sendmail,exim,postmaster, commercial versions of mail daemons) on both the sending and recieving side along with 2 tons of spam.
Surfing to Facebook, Myspace, YouTube, Flickr, and other sites that accept user submitted content is also dangerous. Surfing (or accessing IRC) from root or another escalated permission user is doubly foolhardy.
Using older Firefox, RealPlayer, Adobe Flash, Opening PDF's and displaying jpg's (all graphics are executable - like PDF's - which can trivially be integrated with scripts) are also dangerous.
More information about the PLUG-discuss
mailing list