Its The End Of The World As We Know It: Why HTML Encoded e-Mail Is A Terrible Idea
- More Reasons Why HTML Email is Evil
- The Solution
In December of 1874, Mark Twain bought a typewriter and wrote Tom Sawyer on it. He submitted the first typewritten manuscript to his publisher, who accepted it with glee, despite the fact that the typewriter had only uppercase letters. His publisher understood what he was onto, and Tom Sawyer did well enough that we still read it today. Since time immemorial, the English-speaking people have been able to express themselves with 26 letters and a dozen or so pieces of punctuation. So it comes as no surprise that in 1982, when Internet email standards were first written down, it was decided that 128 characters would be enough for people to get their point across. (The use of "quoted printable" has upped that number to 256 to include special characters from non-English alphabets.)
It was sometime around 1994 when Microsoft decided that it was important for people to be able to send crazy fonts and formatting in their electronic mail messages when they incorporated HTML compatibility into their email readers. In fact, Microsoft thinks that it's so important that it includes a bunch of silly HTML stationary with copies of Outlook, its email program. This lead the way to the same people sending the same email, but in 30-point blue text on a green background. Anybody looking at the state of the WWW would realize that it's insane to let people format the colors of their email.
More Reasons Why HTML Email Is Evil
Apart from simple aesthetics, there are a number of reasons why incorporating HTML into email was a Bad Idea.
Links to images (typically 1 x 1 invisible GIFS) or to any remote document can be used to track when users open an email message. Worse, the user's email address can be encoded as part of the URL to verify and validate the email addresses.
It's possible that scripts embedded in HTML mail messages will run without warning in some email programs. This is especially problematic in Microsoft Outlook Express and Outlook 98/2000, in which Active Scripting in the Internet security zone is enabled by default. You can change this by setting Outlook to use the Restricted site zone and then setting the Restricted site zone to disable Active Scripting, or (better yet) you can go to the Microsoft Office Update site (http://office.microsoft.com/), and apply all of the Office and Outlook updates that are available.
Sending Links to Large but Invisible Files
Aside from sending a tiny unnoticed image, a malicious attacker can also use HTML to overload a network by including a link to a huge file (<img src="http://foo.bar/500meg-image.jpg">) and then resize it with a "width=1 height=1" tag so that it doesn't appear in the body of the mail message.
Possible Abuse by Click-thru Banner Advertisers
Another problem can occur when producing click-thrus from banner ads. To do this, a malicious user enters into a deal with a banner-ad site, which will pay him one cent for each time someone accesses their IP address from a banner ad click-thru. He then assembles dozens or even hundreds of URLs to banner ads, and spams them out to millions of users. Each time the message is opened by an unsuspecting user, dozens of click-thrus deposit pennies in the blackhat's Swiss bank account.
Malicious Messages Difficult to Delete
One nefarious thing about HTML messages containing malicious code is that it's difficult to even delete themsimply selecting the message causes the code to execute again in the default configuration of most of today's mail readers. Almost no one uses a mail client that doesn't have some sort of preview pane, thus forcing the mail client to display images or execute embedded scripts. Deleting the problematic email often requires the removal of the "infected" machine from the network, so as to not spread the damage.