Why HTML E-Mail is Dangerous

HTML e-mail is very dangerous, and its use will guarantee that you get more spam.

This is because of something called a "web bug". But since you won't just take my word for it, keep reading...

Let's say that someone sends you an e-mail message that really contains the following:

From: moron@yourcompany.com
Subject: I'm not working!

<h1>Yo, Whassup??</h1>
<p>
I got <b>no</b> work done today
because I wasted the whole day looking at
<a href="http://www.youtube.com/">http://www.youtube.com/</a>
</p>
<p style="background: #ff6eb4; color: #800000">
That Youtube is really <b>PHAT!</b>
</p>
<p>
&mdash; Tony
</p>

A stupid message with a bunch of HTML mark-up code generated by the sender's fancy e-mail tool. But how will that message appear in your e-mail tool?

It should appear literally as it does above! You should see the HTML tags. Your e-mail tool should not render the HTML into the supposedly pretty picture that it describes. That is, it should look like the above and NOT like this:

From: moron@yourcompany.com
Subject: I'm not working!

Yo, Whassup??

I got no work done today because I wasted the whole day looking at http://www.youtube.com/

That Youtube is really PHAT!

— Tony

Why does this matter?

The simple answer is this: If your e-mail tool renders HTML, then you WILL get more spam.

Therefore you should turn OFF HTML rendering and see messages as their literal content like the first version above.

Oh, I can hear the wailing already....

"I have to use HTML formatting, because I can't get my point across in English prose without special fonts and colors!"
— Then you are an idiot and should not be using computers.

"But my boss insists that I use HTML formatting!
— Then your boss is an idiot.

"But my company cannot function without HTML formatting!
— Then your entire company is based on idiocy.

"But, but, fancy HTML formatting is more important to me than computer security or reducing spam or anything else, and by golly, I REALLY want to use it because then I can use those funny 'smiley face' pictures!"
— Then you probably should not be allowed out in public unsupervised.

Not that I feel strongly about this, but HTML E-mail is the Paris Hilton of electronic communication. Supposedly it's "all about style", but really it's:
0% substance
5% style
95% pure tackiness and not really pretty at all
And meanwhile it accomplishes nothing worthwhile.

Climb down off your soapbox and explain why it will bring more spam!

Fine, here is a real spam message that I received. I have kept all the headers in here, which allows us to see that it started from IP address 67.159.5.238. Hmmm, whois tells us that this spam was sent from:
FDC Servers.net, LLC
OrgID: FDCSE
Address: 141 West Jackson Blvd, Suite 1135
City: Chicago
StateProv: IL
PostalCode: 60604
Country: US
It started on a machine named hedra.slmhosting.net, then made a few hops through insightbb.com, my ISP at the time. It was really sent to my e-mail address, which I have changed to target@insightbb.com because the spammers use robots to scrape web pages for e-mail addresses. I will, however, include the e-mail addresses of support@fdcservers.net and abuse@fdcservers.net here, since it was their system that spammed me and they should share in the fun. C'mere, spammer spammer spammer...

Back to the HTML analysis. Below is the message, click here to open a literal copy of the message. Examine the highlighted very last line of content below:

From mailsiparis@istanbulbilisim.com.tr Thu Jun 14 16:38:26 2007
Return-path: <nobody@hedra.slmhosting.net>
Received: from mta4.manage.insightcom.com ([172.31.249.158])
        by msb1.manage.insightcom.com
        (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
        with ESMTP id <0JJN00M3N805PR80@msb1.manage.insightcom.com> for
        target@insightbb.com; Thu, 14 Jun 2007 16:38:29 -0400 (EDT)
Received: from asav05.insightbb.com ([172.31.249.123])
        by mta4.manage.insightcom.com
        (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
        with ESMTP id <0JJN00LZY804EZS0@mta4.manage.insightcom.com> for
        target@insightbb.com (ORCPT target@insightbb.com); Thu,
        14 Jun 2007 16:38:29 -0400 (EDT)
Received: from unknown (HELO hedra.slmhosting.net) ([67.159.5.238])
        by aa05.insightbb.com with ESMTP; Thu, 14 Jun 2007 16:38:28 -0400
Received: from nobody by hedra.slmhosting.net with local (Exim 4.66)
        (envelope-from <nobody@hedra.slmhosting.net>)
        id 1Hyw5K-0003dV-Bk	for target@insightbb.com; Thu,
 14 Jun 2007 16:38:26 -0400
Date: Thu, 14 Jun 2007 16:38:26 -0400
From: "mailsiparis@istanbulbilisim.com.tr" <mailsiparis@istanbulbilisim.com.tr>
Subject: Istanbul Bilisim A.S Bahar Kampanyalari Kacirilmayacak Firsatlar
X-Sender: <mailsiparis@istanbulbilisim.com.tr>
To: target@insightbb.com
Reply-to: "mailsiparis@istanbulbilisim.com.tr"
   <mailsiparis@istanbulbilisim.com.tr>
Message-id: <E1Hyw5K-0003dV-Bk@hedra.slmhosting.net>
MIME-version: 1.0
X-Mailer: PHP 4
Content-type: text/html;
  charsetiso-8859-1=""
Content-transfer-encoding: 8BIT


<HTML><HEAD><TITLE>maillcd</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1254">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff leftMargin=0 topMargin=0 marginwidth="0" marginheight="0"><!-- ImageReady Slices (maillcd.jpg) -->
<TABLE id=Table_01 height=1116 cellSpacing=0 cellPadding=0 width=800 border=0>
<TBODY>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG height=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_01.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG height=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_02.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG height=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_03.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=459"><IMG height=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_04.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=458"><IMG height=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_05.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=470"><IMG height=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_06.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=474"><IMG height=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_07.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=451"><IMG height=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_08.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=302"><IMG height=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_09.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=448"><IMG height=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_10.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=329"><IMG height=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_11.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=402"><IMG height=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_12.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG height=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_13.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG height=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_14.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG height=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_15.jpg" width=286 border=0></A></TD></TR></TBODY></TABLE><!-- End ImageReady Slices -->
<P> </P>
<P align=center>Istanbul Bilisim A.S. Yaz Kampanyalari</P>
<P align=center>Bu Maili almak istemiyorsanýz asagidaki unsubscribe linkine tiklayiniz...</P><div align='center' style='font-face: verdana;'>
<a href='http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/index.php?what=doUn&email=target@insightbb.com&c=Ym9iLmNyb213ZWxsQGluc2lnaHRiYi5jb20=&t=1&nId=9'>Unsubscribe</a>
 | <a href='http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/index.php?what=login&email=target@insightbb.com'>Change Subscription Preferences</a>
</div>
</BODY></HTML><img src="http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/track.php?su=31&s=112332" width="1" height="1">

Ahah! Look at what that last line would do if you used an e-mail tool that rendered HTML.

Your e-mail tool would make an HTTP connection to the web server www.reklam.istanbulbilism.com.tr (and if you are interested in Turkish, the Turkish word "reklam" means "advertisement", but that should be no surprise)
Your e-mail tool would ask that server for the document mwsubscribe/track.php, a script written in PHP and executed on the server.
That script will be passed the parameter su=31&s=112332.
The server will send your browser a tiny GIF image file, the same color as the background of the HTML document.
Your browser will display it as a white dot on a white background, 1 pixel wide and 1 pixel high, since it was told: width="1" height="1"

Congratulations! You just sent the message su=31&s=112332 to the spammer's server. Everyone who got this message got unique numbers embedded in their message. What does it mean when you make this request of the spammer's server?

I read my spam, please send more!

Turn off that HTML rendering!

Could things be even worse?

Sure! If you so reckless that you use Outlook as your mail tool, you are making things much easier for the attacker.

Generally speaking, Explorer has the most insecure design of any web browser, and it appears that it also has the greatest security-related software implementation problems. Averaged over time, any other browser will be more secure. Most people like Firefox, which isn't perfect but is far less insecure than Explorer.

Now, it turns out that Outlook uses some of the fundamentally insecure modules of Explorer, and there is really nothing you can do about that. So while you are downloading Firefox, then you need to also download Thunderbird, the accompanying e-mail tool.

And don't forget to disable any HTML rendering of your messages!

My general computer / network security page

Home Page

Site Map

Public Key

E-Mail


© Bob Cromwell Jul 2008. Created with `/bin/vi` and ImageMagick, hosted on OpenBSD with Apache. Root password available here