Home > Articles > Security > General Security and Privacy

  • Print
  • + Share This

The Solution

Apart from everyone rapidly abandoning HTML-compliant email programs, there is no simple solution for avoiding these problems. Years of suffering wave after wave of MS Word viruses hasn't convinced users to switch to a more secure word processor. There are, however, a few programs that will display only innocuous HTML, and not display anything potentially dangerous (such as downloading images from the outside world). Because Outlook 2000 is the corporate standard, we will measure the recommended applications against what users expect today. Outlook 2000 automatically displays HTML in email messages, and provides no user-configurable option to disable it. Figure 1 shows an example HTML email message, and how it normally looks when read in Outlook 2000.

Figure 1 An HTML encoded mail message, as seen in Outlook 2000.

Eudora 5.1

Eudora 5.1 by Qualcomm (http://www.eudora.com/) is available for Windows and MacOS operating systems. Eudora has three flavors: Sponsored, Paid, and Lite. Eudora Sponsored is the fully featured email client that automatically displays static ads in the lower-left corner of your client window. Eudora Paid is the same client, but you pay $39.95 to dispense with the ads. Eudora Lite is a stripped-down version of the client with no payment or ad requirement. Figure 2 shows the email from Figure 1, as displayed by Eudora 5.1 Sponsored.

Figure 2 The same email, as seen in Eudora 5.1 Sponsored.

All image links were disabled, as were animated GIFs, in the preferences panel. See Figure 3 for how this was configured.

Figure 3 Eudora's preferences configuration panel.


Evolution by Ximian, Inc. (http://www.ximian.com/) is a GNOME application that is freely available for most UNIX/Linux systems. Evolution is similar to Outlook 2000 in that it combines email, calendar, address book, and task list management in one application. The similarity stops there because Evolution is plagued by none of the virus, trojan, or worm attacks that plague the Windows world.

Evolution supports Internet standards, including IMAP, POP3, vCard, iCalendar, and LDAP. With a commercial add-in from Ximian, Evolution can even talk directly to Microsoft Exchange servers. See Figure 4 for how the email from Figure 1 is presented. Additionally, see Figure 5 for how to configure this feature. Evolution is open source software licensed under the GNU Public License (GPL). The add-in, Ximian Connector for Microsoft Exchange, is a proprietary product available by contacting Ximian.

Figure 4 The same email, as seen in Evolution.

Figure 5 Configuring Ximian to work with Microsoft Exchange.


Mail.app by Apple, Inc. (http://www.apple.com/macosx/) is the built-in email client that comes as part of MacOS X. Mail.app is an extremely nimble client that performs quite well, has all the standard features of an email-only client, and is surprisingly simple to use—despite all the features it has. See Figure 6 for how the email from Figure 1 is presented. Additionally, see Figure 7 for how to configure this feature.

Figure 6 The same email, as seen in Mail.app.

Figure 7 The configuration window for MacOS X's . Mail.app allows you to turn off potentially dangerous HTML.


Entourage by Microsoft (http://www.microsoft.com/macoffice/) is part of Office 2001 for MacOS 9 or Office X for MacOS X. Entourage is a Macintosh-only client, not available for Windows platforms. Entourage has feature-sets similar to Outlook 2000, except that it does not talk to Microsoft Exchange servers natively. I admit that I am puzzled about why Microsoft would release an extremely useful, security-conscious feature only for the Macintosh platform and not for its own operating systems. See Figure 8 for how the email from Figure 1 is presented. Additionally, see Figure 9 for how to configure this feature.

Figure 8 The same email, as seen in Entourage for the Macintosh.

Figure 9 Entourage's configuration options allow you to shut off network access while displaying "complex" HTML or to not display complex HTML at all.


SquirrelMail (http://www.squirrelmail.org/) is a nice, lightweight, Web-based, email client. The recently released 1.2.x series allows the administrator to enable or disable HTML email viewing by default. If enabled, it includes an HTML view that strips out the JavaScript, meta tags, and any images/documents that were not included in the email itself. SquirrelMail is extensible through the use of plug-ins that change or enhance the behavior and features of SquirrelMail. This allows the administrator decide how much is necessary. See Figure 10 for how the email from Figure 1 is presented to the user. SquirrelMail is open source software licensed under the GNU Public License (GPL).

Figure 10 The same message seen in SquirrelMail. SquirrelMail actually indicates to the user that the HTML not displayed was removed for security reasons.


IMP (http://horde.org/imp/), the Internet Mail Program, is another Web-based, fully featured email client that doesn't by default display HTML emails. IMP is part of the Horde Project, which is a platform for Web-based applications for productivity, messaging, and project management. IMP is open source software licensed under the GNU Public License (GPL).

  • + Share This
  • 🔖 Save To Your Account

Related Resources

There are currently no related titles. Please check back later.