Why disable html in email?

  • Thread starter Thread starter Michael Hobbs
  • Start date Start date
M

Michael Hobbs

I am using XP-Pro with Outlook express. Reading through this group I found a
refrenece to disabling html in recieved emails. I was just wondering why?
 
Michael said:
I am using XP-Pro with Outlook express. Reading through this group I found a
refrenece to disabling html in recieved emails. I was just wondering why?
Click to expand...
If I'm not mistaken, Kurt Wismer addressed this yesterday, in another
post. Essentially, executable code (scripting language) can be embedded
in an email and you run the *risk* of executing it, which in turn could
install other, malicious code, through OE's use of IE's html engine. At
the very least, you should place your mail client in IE restricted zone,
make sure that zone is set to high security, disable OE's preview pane
and patch your system with all of the XP critical patches. Obviously, if
you're very judicious about what mail you open and from whom, your risk
can be mitigated.
 
I am using XP-Pro with Outlook express. Reading through this group I found a
refrenece to disabling html in recieved emails. I was just wondering why?

--
Click to expand...
**************** REPLY SEPARATER *****************
The most popular form of email virus today is HTML code embedded in the body of
the message. Many email readers do not support this function, and consequently
the email may appear to be blank. Most email readers will interpret text that
is tagged with HTML, but Outhouse/Outhouse Excuse can also interpret and
execute the other code, and that is the dangerous part. Because it is so
complex and powerful, as fast as Microsoft can plug the holes, more holes are
discovered.

Frankly, I have yet to find one piece of email so encoded that I really care to
see anyway (it's all been pure garbage so far). Any legitimate sender that
wants to send me literature has already learned that it is useless to send it
to me HTML encoded.

HTML DOES NOT BELONG IN A MESSAGING SYSTEM!

J.A. Coutts
 
Frankly, I have yet to find one piece of email so encoded that I really care to
see anyway (it's all been pure garbage so far). Any legitimate sender that
wants to send me literature has already learned that it is useless to send it
to me HTML encoded.

HTML DOES NOT BELONG IN A MESSAGING SYSTEM!
Click to expand...

Exactly. It's a useless waste of bandwidth and a security risk to
naive users of OE.


Art
http://www.epix.net/~artnpeg
 
Bitstring <[email protected]>, from the wonderful
person John Coutts said:
HTML DOES NOT BELONG IN A MESSAGING SYSTEM!
Click to expand...

When it turned into a full blown programming language (instead of just
hypertext - i.e. text with pictures and links) it really should have
been consigned to the waste bin. 8>.
 
If I'm not mistaken, Kurt Wismer addressed this yesterday, in another
post. Essentially, executable code (scripting language) can be embedded in
an email and you run the *risk* of executing it, which in turn could
install other, malicious code, through OE's use of IE's html engine. At
the very least, you should place your mail client in IE restricted zone,
make sure that zone is set to high security, disable OE's preview pane and
patch your system with all of the XP critical patches. Obviously, if
you're very judicious about what mail you open and from whom, your risk
can be mitigated.
Click to expand...


And adding to the security side... consider the following:


<img
src="http://spam-scum.com/spam-run-1/who-opened-mail.php?id=muppet0001
/>


You open the mail.. do nothing and delete it as it's spam.

Joe-scum comes along in the evening and checks his database...


"oh, muppet0001!! add mail address to 'good addresses' list"


So you don't even have to verify by clicking the "unsubscribe link" if
applicable (not that they work normally anyway).. but in the database,
Joe-scum will have something like:


+------------------------------------------+
| ID | mail_address |
+------------------------------------------+
| muppet0001 | (e-mail address removed) |
+------------------------------------------+


So now Joe-scum knows that you opened his shitlet and that your address is
valid (ok, obviously there are exceptions with aliases etc.. but in
general.........). If the logs are checked or the receiving page has more
detailed code to get the '/spam-run-1/' directory too.. then Joe-scum also
knows exactly _what_ mail you opened too (ie: pills.. pr0n.. mortgage...
etc) This technique is often known as a "web-bug".



Regards,

Ian
 
Michael Hobbs said:
I am using XP-Pro with Outlook express. Reading through this group I found a
refrenece to disabling html in recieved emails. I was just wondering why?
Click to expand...

One of the first dirty tricks I played on my uncle was to send
him an HTML e-mail with a META refresh in the head portion.
It would "refresh" him to a hacker site which hosted a number
of scripts in succession trying every trick in the book to crash
his OS ~ no prompting -- just smurf city.

With a time delay, and a nice little message in the body for
him to read while the clock was ticking, it made an impact
on his level of security awareness.
 
FromTheRafters said:
why?

One of the first dirty tricks I played on my uncle was to send
him an HTML e-mail with a META refresh in the head portion.
It would "refresh" him to a hacker site which hosted a number
of scripts in succession trying every trick in the book to crash
his OS ~ no prompting -- just smurf city.
Click to expand...

Or use the html to run my newsbug which will continue creating bogus
newsgroup accounts on OE until it crashes and then the target has to go back
and manually delete each and every one which depending on the speed of the
machine and how quickly OE crashes could be close to a hundred, lol
--
http://home.adelphia.net/~dinosoft
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
live web cam http://www.dino-soft.org/cam
live web cam fixed and active 12 hours a day minimum
 
Sugien said:
Or use the html to run my newsbug which will continue creating bogus
newsgroup accounts on OE until it crashes and then the target has to go back
and manually delete each and every one which depending on the speed of the
machine and how quickly OE crashes could be close to a hundred, lol
Click to expand...

Yeah, that is an interesting abuse of function too. ;-)

I like the autoexecution exploits best though.
 
FromTheRafters said:
Yeah, that is an interesting abuse of function too. ;-)

I like the autoexecution exploits best though.
Click to expand...

it does autoexecute with the addition of a simple addition to the <body> tag
iow, if inside the javascript of my newsbug

<script language="JavaScript">
function newsbugs() {
removed actual;
code so as;
to not help skiddies}
</script>

I can make it autoexecuting with <BODY onLoad="newsbug()"> which of course
can be used to make any javascript autoexecuting when the web page loads.
What makes it very interesting is if they have an older version of OE such
as comes with win98SE;because after OE crashes when it is started back up
the last email that the target received was the newsbug so it starts all
over again; because in the older versions of OE it didn't have the little
safety measure of saying something like "last time OE shut down it did so,
yada yada yada"
--
http://home.adelphia.net/~dinosoft
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
live web cam http://www.dino-soft.org/cam
live web cam fixed and active 12 hours a day minimum
 
FromTheRafters said:
Yeah, that is an interesting abuse of function too. ;-)

I like the autoexecution exploits best though.
Click to expand...

it does autoexecute with the addition of a simple addition to the <body> tag
iow, if inside the javascript of my newsbug

<script language="JavaScript">
function newsbugs() {
removed actual;
code so as;
to not help skiddies}
</script>

I can make it autoexecuting with <BODY onLoad="newsbug()"> which of course
can be used to make any javascript autoexecuting when the web page loads.
What makes it very interesting is if they have an older version of OE such
as comes with win98SE;because after OE crashes when it is started back up
the last email that the target received was the newsbug so it starts all
over again; because in the older versions of OE it didn't have the little
safety measure of saying something like "last time OE shut down it did so,
yada yada yada"
--
http://home.adelphia.net/~dinosoft
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
live web cam http://www.dino-soft.org/cam
live web cam fixed and active 12 hours a day minimum
 
Sugien said:
Or use the html to run my newsbug which will continue creating bogus
newsgroup accounts on OE until it crashes and then the target has to go back
and manually delete each and every one which depending on the speed of the
machine and how quickly OE crashes could be close to a hundred, lol
Click to expand...

Why would you do something like that?
 
optikl said:
Why would you do something like that?
Click to expand...

I first created it as a POC to show M$ that it works; but they said it was
not a bug/hole/security risk and was rather "An abuse of a functionality".
It has since evolved into a test to make sure OE is secure and as joke
program to pull on friends<s>
--
http://home.adelphia.net/~dinosoft
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
live web cam http://www.dino-soft.org/cam
live web cam fixed and active 12 hours a day minimum
 
Sugien said:
I first created it as a POC to show M$ that it works; but they said it was
not a bug/hole/security risk and was rather "An abuse of a functionality".
It has since evolved into a test to make sure OE is secure and as joke
program to pull on friends<s>
Click to expand...

I understand the POC, but the joke part I don't get. Anyway, I was just
curious.
 
optikl said:
I understand the POC, but the joke part I don't get. Anyway, I was just
curious.
Click to expand...

Well I guess it is more of a joke on someone that runs the attachment, <s>
And as a learning aid type of joke to get them to remember to not be so
click happy on attachments and to not be so smug when they think their OE is
secure with the preview pane enabled
--
http://home.adelphia.net/~dinosoft
/}
@###{ ]::::::Dino-Soft Software::::::>
\}
live web cam http://www.dino-soft.org/cam
live web cam fixed and active 12 hours a day minimum
 
is there anything to be done about this "web-bug"?
How can we protect ourselves?
-max

--
'When you have a degree-you don't know everything-just a degree'-Dr Miles
Munroe
This message is virus free as far I can tell
Change nomail.afraid.org to hotmail.com so you can reply
(nomail.afraid.org has been set up specifically for
use in Usenet. Feel free to use it yourself.)
 
Quoth the raven named Max M.Wachtel III:
is there anything to be done about this "web-bug"?
How can we protect ourselves?
-max
Click to expand...

First, don't open obvious spam.

Second, open email only in plain-text mode. Check your Outlook
Distress options on Tools > Options > Read tab
[x] Read all messages in Plain Text

Also, View > Layout > [ ] Show Preview Pane (unchecked)

BTW, your top-posted reply with genuine sig delimiter removed the rest
of the quoted material in my newsreader (and probably in any other
news program as well). Please move sig to bottom of reply.
 
BTW, your top-posted reply with genuine sig delimiter removed the rest
of the quoted material in my newsreader (and probably in any other
news program as well). Please move sig to bottom of reply.
Click to expand...

Same thing here. Using Pan 0.14.2 (linux) but only when I choose to reply
to the message. In the message pane, it's fine.
 
Quoth the raven named jafar:
Same thing here. Using Pan 0.14.2 (linux) but only when I choose to
reply to the message. In the message pane, it's fine.
Click to expand...

--
Exactly as it should be. The purpose of the "-- " delimiter is to trim
off the sig when replying. Notice, as illustration, I have typed
another delimiter just above this paragraph. If anyone reading is
unclear about the delimiter, it must be a dash-dash-space flush with
left margin and on a line by itself.

Go ahead. Try a reply and watch what happens (in a real newsreader).
 
Back
Top