1998-02-21 - Re: I was auto-outed by an IMG tag in HTML spam

Header Data

From: Bill Stewart <bill.stewart@pobox.com>
To: “William H. Geiger III” <cypherpunks@toad.com
Message Hash: bf69fbb7d89d633333501c00ed090c4e65d5cc54acc4e740cc1950d750ad702c
Message ID: <3.0.5.32.19980220184839.008d4b50@popd.ix.netcom.com>
Reply To: <37a52bf54844994eb90c8e8af06b07b7@anon.efga.org>
UTC Datetime: 1998-02-21 04:45:15 UTC
Raw Date: Sat, 21 Feb 1998 12:45:15 +0800

Raw message

From: Bill Stewart <bill.stewart@pobox.com>
Date: Sat, 21 Feb 1998 12:45:15 +0800
To: "William H. Geiger III" <cypherpunks@toad.com
Subject: Re: I was auto-outed by an IMG tag in HTML spam
In-Reply-To: <37a52bf54844994eb90c8e8af06b07b7@anon.efga.org>
Message-ID: <3.0.5.32.19980220184839.008d4b50@popd.ix.netcom.com>
MIME-Version: 1.0
Content-Type: text/plain



>   at 03:00 AM, Anonymous <anon@anon.efga.org> said:
>>Use mail readers that don't automatically process HTML and
>>connect to image servers, accept cookies, or run javascripts.  You are
>>being watched by tricky defective, er, detective types. es.
>
>Several things here:
>
At 02:32 AM 2/18/98 -0500, William H. Geiger III wrote:
>1. HTML in mail:
>There is just no place for this crap in e-mail. If multipart/alternative
>is used it is tolarable but pure text/html messages go into the bitbucket
>with a autoreply explaining to the poster the error of their ways. :)

HTML is a fine format for email.  It's ASCII readable, and supports
content description tags that the user's mail reader can render as
bold/italic/underline/header-levels//color/etc.  It's far superior
to using bloated undocumented Microsoft Word attachments.
95% of the HTML email I get IS spam, but that's a separate problem :-)
(After all, SPAMMERs like bright colored blinking attention-getting mail.)

>2. AutoProcessing of Attachments:
>This is *allways* a BadThing(TM). Not only is it an obvious security risk
>it is a PITA for the user. I would be rally pissed if my mailer launched a
>V-Card app everytime someone thought it was a GoodThing(TM) to add these
>attachments to every message they sent out.

>3. AutoDownloading of Data:
>I imagine what happend here is the internal logic for N$ mailreader when
>processing a html/text e-mail message is to treat it just like a WebPage
>and processes it accordingly.
>IMHO a mail client that is going out to an external site to DL data wether
>it be part of a html/text message or Message/External-Body the mailer
>should prompt the user on wether or not he wishes to retreive the data.

Doesn't even need a prompt - a basic missing-picture icon is fine,
with a load-images command somewhere.  While it's not as dangerous as
auto-processing, autodownloading is annoying, and can be both a
security risk (the auto-outing problem) and a denial-of-service risk.

Needs to be either off by default or not there at all.

>My recomendations is to dump the Netscape garbage and get a real e-mail
>client. Netsacpe has done a good job at screwing up the web we really
>don't need the same favor from them with e-mail.

Netscape mail is adequate for many people, just as Eudora is.
Newer versions are pretty bloated, but including S/MIME mail encryption
for everybody is a Good Thing.
				Thanks! 
					Bill
Bill Stewart, bill.stewart@pobox.com
PGP Fingerprint D454 E202 CBC8 40BF  3C85 B884 0ABE 4639






Thread