HTML e-mail not worth the risk

* HTML e-mail can be a security risk

Many people are sending HTML e-mail for no obvious reason or benefit. HTML e-mail can be recognized by colored backgrounds or typefaces. It sometimes has designs or other decorations in the messages. Unfortunately, HTML e-mail is a security risk.

HTML messages can easily contain unwanted, mislabeled links, Web bugs, harmful active content, and outright worms and viruses.

Richard Smith warned of emerging e-mail vulnerabilities in 1999, when he listed dozens of problems related to HTML e-mail. A particularly detailed analysis showed how HTML code in e-mail could allow breaches of privacy using images and cookies:

Invisible single-pixel images (called Web bugs) can enable this kind of user e-mail tracking without alerting the naïve user because most people don’t examine the HTML code underlying received e-mail messages.

Other vulnerabilities inherent in HTML e-mail include the ability to run Visual Basic scripts, ActiveX controls, and Macromedia flash, all of which can execute unauthorized and unsafe code.

Some organizations and individuals are blocking HTML messages outright. Blocking incoming HTML e-mail is easy because it always includes recognizable strings associated with the HTML underlying the fancy display.

I urge everyone to send plain text instead of HTML as the default format for outgoing e-mail.

If you need to send a message with features beyond text, you can always create a word-processing document and send that. However, you should be aware that when you send a Microsoft Word document, not only are you putting the recipient at risk from embedded macros, but the appearance of your document may be quite different on the recipient’s computer if you do not share the same set of fonts. RTF files typically do not carry macros (although the font problem still exists).

Some recipients prefer a platform-independent format such as an Adobe Acrobat PDF file rather than a platform-specific file such as a Word document; PDF files do not depend on the recipient’s fonts for proper display, and they do not carry Word macros.

So to repeat: set your default format for outbound e-mail from HTML to TEXT in your e-mail client. Here are some hints on how to do that:

* If you are using Netscape Messenger as your client, click Edit | Mail & Newsgroups | Formatting to reach the panel that allows the configuration. Then at the top of the page, in the section labeled, "Message formatting" you can select the lower option, "Use the plain text editor to compose messages." The other section is labeled, "When sending HTML messages to recipients who are not listed as being able to receive them." You can select the second option there, "Convert the message into plain text."

* If you are using Microsoft Outlook, use the Tools | Options | Mail Format sequence to reach the panel where you can select “Compose in this message format: Plain Text” as your format for outgoing mail.

* If you are using Outlook Express, use the Tools | Options | Send sequence and check “Plain Text” in the “Mail Sending Format” section of the panel.

Other e-mail clients will also have options for you to select plain text.

Remember the old Shaker hymn: "’Tis the gift to be simple / ‘tis the gift to be free, / ‘tis the gift to come down / where we ought to be.”

Keep it simple; keep it plain.

Learn more about this topic

Email security hazards

Richard Smith

Bugnosis Web Bug FAQ

How HTML email invades your privacy

A quick guide to email security

“‘Tis the gift to be simple”

Join the Network World communities on Facebook and LinkedIn to comment on topics that are top of mind.
Must read: 10 new UI features coming to Windows 10