HTML (javascript) in email can be used for harmful intent:
1) XSS tunneling
2) URI encoding crafted info/scripts
3) Virus [Microsoft]
4) Worms [RPC]
Most of these issues are trivially scrubbed with clamav (daily updated signatures based on reported virus), spamassassin on the MTA (sendmail,exim,postmaster, commercial versions of mail daemons) on both the sending and recieving side along with 2 tons of spam.
Surfing to Facebook, Myspace, YouTube, Flickr, and other sites that accept user submitted content is also dangerous. Surfing (or accessing IRC) from root or another escalated permission user is doubly foolhardy.
Using older Firefox, RealPlayer, Adobe Flash, Opening PDF's and displaying jpg's (all graphics are executable - like PDF's - which can trivially be integrated with scripts) are also dangerous.
From my way of thinking, that's pretty much everything, therefore the only defense is to run the most recently patched Browser, use a mail and attachment scanner or web based portal (like Gmail) and access mail from a non production system,
http://wiki.obnosis.com |
http://hackfest.obnosis.com |
http://nuke.obnosis.com
PLUG HACKFESTS -
http://uat.edu Second Saturday of Each Month Noon - 3PM
Date: Thu, 29 Jan 2009 08:45:04 -0700
Subject: Re: OT: HTML Emails -- Re: Other than frys where would you get server hardware
From: lthielster@gmail.com
To: plug-discuss@lists.plug.phoenix.az.us
On Thu, Jan 29, 2009 at 7:31 AM, Judd Pickell <
pickell@gmail.com> wrote:
Not everyone wants to have change a setting while just trying to view their emails. Although to be fair I use gmail so I don't have to be concerned about it. But I am sure there are people on this list still using Pine or equiv, since that is and can be done via commandline like ssh from a phone.
Maybe those folks should just go back to using carrier pidgeons. Alternatives could include changing to using an email client that would support THEIR need to block or convert HTML to text. Expecting the rest of the world to change to do what they want is just wrong and ain't gonna happen.
I am curious, how many truly html based emails do we get on this list? I would think lately we maybe recieving more, given the link structures in some emails; so maybe it is a concern now?
I don't know but I did change to using plain text for some time because of the desires of certain people here. The loss of functionality was bothersome so I finally switched back to the rich text mode of gmail.
I do understand that html CAN be used for harmful intent but then what can't? If you want to fear technology, don't use it!
Sincerely,
Judd
---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss
--
Man is the only animal that laughs and weeps, for he is the only animal that is struck with the difference between what things are and what they ought to be.
- William Hazlitt
_________________________________________________________________
Windows Live™: E-mail. Chat. Share. Get more ways to connect.
http://windowslive.com/explore?ocid=TXT_TAGLM_WL_t2_allup_explore_012009---------------------------------------------------
PLUG-discuss mailing list -
PLUG-discuss@lists.plug.phoenix.az.us
To subscribe, unsubscribe, or to change your mail settings:
http://lists.PLUG.phoenix.az.us/mailman/listinfo/plug-discuss