how-to block ads
|
|
Uniqs:
3970 |
Share Topic
 |
 |
|
|
|
| 5 Good Reasons HTML in email is a BAD idea I help maintain a website that collects and hosts massive amounts of genealogical data for use in research by users around the globe. Because most submissions are by e-mail to me by unknown persons, I absolutely detest receiving HTML in e-mail both for security reasons and for e-mail space limitations. Users of Incredimail are one of my biggest pet peeves 
While searching the web for instructions to provide to a user on how to send e-mail in plain text I found a wonderful article by Gerald Boyd that lists 5 great reasons why HTML in e-mail is a bad idea. This article is also useful in that it lists instructions on how to turn off HTML/MIME in most of the e-mail clients available. I have bookmarked this article so that I can now tell people not only WHY but also HOW to stop this nonsense in e-mail. I hope some of you might find it useful also 
Configuring Mail Clients to Send Plain ASCII Text
What is wrong with sending HTML or MIME messages?
There are now five main reasons for NOT doing this:
Many E-mail and Usenet News reader programs, usually the mail and news reader programs that come with browser packages, allow users to include binary attachments (MIME or other encoding) or HTML (normally found on web pages) within their E-mail messages. This makes URLs into clickable links and it means that graphic images, formatting, and even color coded text can also be included in E-mail messages. While this makes your E-mail interesting and pretty to look at, it can cause problems for other people who receive your E-mail because they may use different E-mail programs, different computer systems, and different application programs whose files are often not fully compatible with each other. Any of these can cause trouble with in-line HTML (or encoded attachments). Most of the time all they see is the actual HTML code behind the message. And if someone replies to the HTML formatted message, the quoting can render the message even more unreadable. In some cases, the message is nothing but strange looking text. For this reason, many mailing lists especially those that provide a digest version, explicitly forbid the use of HTML formatted e-mail. See examples section.
When you send an attachment, like a word processor file, to have it appear on the other end as the exact same type of file the recipient must have hardware and software that can read that file. For example, if you attach a Microsoft Word file, and the recipient of your message is using a word processor that can't open MS Word files, that person isn't going to be able to open your attachment and they are less than likely to be very happy about it.
HTML or MIME messages are larger and more wasteful than simple text messages. Using HTML or MIME in E-mail messages makes the messages larger in size by a mimimum of two thirds to more than twenty times. These will take longer to download and they take up more storage space than standard plain text E-mail messages.
E-mail storage is important because many people retain copies of messages they receive and in the case of mailing list digests, the individual messages are combined in one large message and sent to the user at the end of the day. Some mailing list programs fail to format the digest correctly if HTML messages appear. In addition, many mailing lists archive the messages for periods of 6 months or more to enable users to search for particular past postings.
HTML or MIME messages leave or include unwanted files (attachments) on the machines of the recipients of these messages.
Embedded HTML or MIME attachments are the number one method of spreading virus, worm or Trojan programs.
For instance, the Forgotten worm was written in Visual Basic Script and spread without any attachment. Instead, the worm code was embedded into the HTML formatted message body.
The I Love You worm program exploited an ActiveX vulnerability and was executed just by viewing or previewing the e-mail message without opening any attachment.
Likewise, embedded code could exploit some MS Office vulnerability as with Office ODBC Vulnerabilites and Specially Formed Script in HTML Mail can Execute in Exchange 5.5
HTML messages can trigger dialups to the Internet if they contain links to specific images called "web bugs" that are used to track message and advertiser viewing. See Web Bug FAQ
MIME encoded attachments with file extensions (BAT, COM, DOC, EML, EXE, HTA, JS, PPT, SHS, VBE, VBS, WSH, XL#) have been the most common method of sending viruses, worms and Trojan programs because their code will be executed by Windows and associated viewers or other MS programs when the attachment is opened. Windows uses the extension to determine what the default action on a file will be. For instance, a .txt file will open in Notepad and a .html file will open in Internet Explorer.
Uncommon, but no less dangerous are file extensions (386, ACM, ACV, ADT, AX, BIN, BTM, CLA, CPL, CSC, CSH, DEV, DLL, DOT, DRV, HLP, HTM, HTT, INF, INI, JSE, JTD, MDB, MP#, MPP, MPT, MSO, OBD, OBT, OCX, OLE, OV#, PIF, PL, PM, POT, PP#, PPS, PRC, RAR, RTF, SCR, SH, SHB, SMM, SYS, VSD, VSS, VST, VXD, WSF, XL#, XLB, XTP).
HTML quickly fills the memory of PDAs (Personal Digital Assistants like the Palm Pilot). In addition, many HTML messages are also completely unreadable on most PDAs.
Plain text is how your messages should be formatted when sending E-mail to mailing lists and Usenet newsgroups or to any other recipient. Though this rule is not yet cast in "Netiquette" stone, it is a good policy to follow if you want quick and informative responses to your questions and wish to avoid being "flamed" as a clueless newbie.
HTML is meant for the WWW; not for mailing lists, Usenet newsgroups postings, proper business E-mail correspondence and preferably not for personal E-mail unless the recipient is expecting it.
MIME encoded mail is generally used to send attachments that consist of pictures, sound files, spreadsheets, word-processing documents, zip files, or other binary files to recipients that have and use the same operating system, the same word processing program and a common E-mail program such as Eudora, Pegasus, Netscape, or Outlook.
MIME attachments are not wanted on mailing lists, Usenet newsgroups postings, business E-mail correspondence, and preferably not for personal E-mail unless the recipient is expecting it.
If you must send an attachment, then before you send the message with the attachment, ALWAYS send the recipient a message telling them you are about to send them an attachment. This will, at least, let them know to expect a message with an attachment from you.
An exception to the "no MIME attachments rule" can be made for PGP (Pretty Good Privacy), GPG (Gnu Privacy Guard), or other "Digital ID" signed e-mail. In this case, individuals, mailing lists, and Usenet newsgroups that use signed e-mail are probably expecting it. See MIME Security with Pretty Good Privacy (PGP).
Continuation of article here:
»www.expita.com/nomime.html
Gerald E. Boyd's main page is worth a look too.
G.E. Boyd's Everything By E-mail Webpage
»www.expita.com/
P.S. Wishing Everyone a Happy Thanksgiving
Edit: to fix link
--
It takes a disaster to make a woman out of a female
[text was edited by author 2002-11-27 11:10:46] | |
 John2gQui Tacet ConsentitPremium
join:2001-08-10
England | Good post!
One further point: as far as I know viruses cannot be embedded in "text only" mail. | |
| reply to CalamityJane
Hi Janie
Excellent - but I do admit to being an Incredimail user (sometimes)....
Thanks for the links!
Regards
Gordon
--
Hey! Bo Diddley! | |
 martiColor outside the linesPremium,MVM
join:2001-12-14
Houston, TX
kudos:5
| reply to CalamityJane
The latest version of Outlook Express allows the user to read emails in text only (version 6.00.2800.1123); the capability to send in text only is a feature in all OE versions.
I think there are a few email clients around that support text only for reading.
--
*Team Z* Member **PCQ&A Forum** SBCGlobal, EnterNet 1.5 PPPoE s/w, Win98SE, Linksys NIC
[text was edited by author 2002-11-27 11:45:22] | |
 dpPremium,MVM
join:2000-12-08
Greensburg, PA
kudos:7 | reply to CalamityJane
Nice post there CJ, good reading and sound advice. | |
| reply to John2g
said by John2g:
One further point: as far as I know viruses cannot be embedded in "text only" mail.
Correct. They can be attached to a plain text email, of course, but the user would have to download and run the attached file.
Good post, Jane!  | |
John2gQui Tacet ConsentitPremium
join:2001-08-10
England | said by Tuulilapsi:
Correct. They can be attached to a plain text email, of course, but the user would have to download and run the attached file.
Good post, Jane!
At least you can see the little ba*stards then! | | |
|
John2gQui Tacet ConsentitPremium
join:2001-08-10
England | reply to marti
said by marti:
The latest version of Outlook Express allows the user to read emails in text only (version 6.00.2800.1123); the capability to send in text only is a feature in all OE versions.
But for the people that do not use the latest version of OE, CJ's link shows how to configure most (all?) of the other email clients. | |
| reply to Bo Diddley
Hi Gordon
Sorry to hear you use incredimail (please don't send me any cause it gets ditched in my webview and never even downloaded).
But actually you could answer a question for me:) Got one from someone the other day needing help and I had to view it - UGH! It had an annoying blinking red envelope at the end. What the HECK was that???
Janie just a "plain text" Jane
--
It takes a disaster to make a woman out of a female | |
 bjf123We Want... A ShrubberyPremium
join:2000-02-11
Hamilton, OH | said by CalamityJane:
But actually you could answer a question for me:) Got one from someone the other day needing help and I had to view it - UGH! It had an annoying blinking red envelope at the end. What the HECK was that???
Incredimail has a number of animated stationaries available. The sender picked the one with the animated red envelope, probably to indicate the seriousness of their problem. 
--
Golf is a relatively simple game, played by reasonably intelligent people, stupidly. | |
| reply to John2g
said by John2g:
Good post!
One further point: as far as I know viruses cannot be embedded in "text only" mail.
It might be possible, depending on the E-mail client. About 10 years back a friend freaked me out by sending me the command char for a terminal beep in an E-mail. My machine beeped, I said "WTF?" and called him asking what it was he just did. He explained himself, and made mention that "it wasn't possible to send a real virus through text only E-mail." I challenged him on this, and my small group of friends spent the next 6 months doing anything we could to find a way.
We came up with this: Most E-mail programs (Text or GUI) take certian parts of the E-mail header and display them on the screen in certian places, such as the To: field, subject line, From: field, and possibly others. We came to the conclusion that it might be possible to attach executeable code to the end of a subject line given that the client didn't do proper bounds checking. Unfortunatly, at the time we didn't find any E-mail program with that vulnurability.
It was with great mirth, however, when we heard a few years later of web browsers coming under this attack in displaying the address bar.
--Demonspawn | |
Mele20Premium
join:2001-06-05
Hilo, HI
kudos:4 | reply to bjf123
Wow that incredimail sounds neat!! I'll have to go check it out. Sounds like I'd love it. I always send in HTML (except to lists which I do not belong to any because they are in plain text which I hate and to NG which I do belong to but hate reading as it is so hard to read plain text). I always convert all messages sent to me in plain text to HTML so I can read them more easily and so they aren't boring. I depend on my NOD32 to catch the baddies and, of course, I don't get spam in my main addresses. I use a web address for posting in NG's etc and the spam comes there. Everyone I know uses HTML for email. It's like I use personal stationary if I send a letter by snail mail ...I would never dream of sending a letter on some piece of junk paper scribbled badly ...so why would I do the equivalent of that in email? How rude of me! I get so tired of people who own a computer for I don't know why as they are afraid to use it! There is so much beautiful stationary out there for Outlook Express. It should be used and enjoyed ...not put down by people who hate lovely things. Just buy the best antivirus available, keep it uptodate and stop being so up tight!
--
"Everything can be taken from a man or woman but one thing: the last of the human freedoms - to choose one's attitude in any given set of circumstances, to choose one's destiny." Victor Frankl - Man's Search for Meaning | |
| reply to CalamityJane
said by Gerald Boyd:
Uncommon, but no less dangerous are file extensions (386, ACM, ACV, ADT, AX, BIN, BTM, CLA, CPL, CSC, CSH, DEV, DLL, DOT, DRV, HLP, HTM, HTT, INF, INI, JSE, JTD, MDB, MP#, MPP, MPT, MSO, OBD, OBT, OCX, OLE, OV#, PIF, PL, PM, POT, PP#, PPS, PRC, RAR, RTF, SCR, SH, SHB, SMM, SYS, VSD, VSS, VST, VXD, WSF, XL#, XLB, XTP).
Actually, .rar is a compressed format that, like .zip, is a relatively safe non-executable format. NOTE: I gave a thumbs to both Mele and CJ in this thread, who although having opposing views, I thought expressed their particular viewpoint very well.
--
"But now abide faith, hope, love, these three; but the greatest of these is love." (1 Cor. 13:13) | |
| reply to CalamityJane
Hi Janie:)
The "annoying blinking red envelope at the end" is probably a link to their site so that the 'plain text' folks (such as yourself:)) can brighten up their emails; I think it shows up only when the incredimail is processed by a non-incredimail client. Also, as bjf123 pointed out, there are heaps of animations to use in the body of the e-mail.
My preferred e-mail client is Isbister's Express Plus;
»www.isbister.com
Regards
Gordon
--
Hey! Bo Diddley! | |
 sigPremium
join:2001-05-05 | reply to Mele20
Those who prefer not to use or read HTML email "hate lovely things?" | |
| reply to Mele20
Mele, Oh No! I've unleashed a monster by mentioning Incredimail. (Somehow I should have forseen this )
said by Mele20:
There is so much beautiful stationary out there for Outlook Express. It should be used and enjoyed ...not put down by people who hate lovely things. Just buy the best antivirus available, keep it uptodate and stop being so up tight!
And I think that is great if you and your friends are having fun with all the pretty things it can do if that is something you all do regularly with each other (but only if the recipient is expecting it and has an e-mail client that can read it properly and has AGREED to accept it which I hope that you and your friends do.)
However, I believe the article brings up some very valid points about scenarios in which HTML e-mail is not appreciated by all and certainly unnecessary in most e-mail (just my opinion). It also point out security risks of HTML in e-mail. Even with the best AV & security software out there....new exploits are being found and used all the time. Isn't that why everyone rushes to get the latest updates the very moment they are released? I do NOT trust my AV to protect against everything (I expect ME to do that). My AV also won't unstuff my overloaded e-mail box crammed with all the "pretty stuff" so that the important stuff can't get to me.
--
It takes a disaster to make a woman out of a female | |
| In Mele's defense, I happen to have received email from her in the past, and I know it is quite benign and harmless. I see nothing wrong with Mele's liking for pretty backgrounds and stationery, all of which is harmless. Mele isn't talking about attaching some malicious embedded script or ActiveX in her email: just enjoying the available features that html and rich-text formatting has to offer. :) | |
 La LunaSurvived AshrafulPremium
join:2001-07-12
Warwick, NY
kudos:3
 ·Vonage
 ·Optimum Online
| said by Randy Bell:
In Mele's defense, I happen to have received email from her in the past, and I know it is quite benign and harmless. I see nothing wrong with Mele's liking for pretty backgrounds and stationery, all of which is harmless. Mele isn't talking about attaching some malicious embedded script or ActiveX in her email: just enjoying the available features that html and rich-text formatting has to offer. :)
IncrediMail IS very neat. I've used it in the past, but unfortunately it didn't play nice with my system and would occasionally freeze on me about three quarters of the way through an e-mail I would be typing. What a pain THAT was...
Anyway, IM CAN be set to use plain text if the user so desires. So if I were e-mailing CJ for example, who I knew didn't like HTML messages, I would be SURE to switch it just for her.
It is also a good feature in case you want to use it for business purposes, without all the fancy stuff.
--
»www.sarahbrightman.co.uk »www.sarah-brightman.com/ | |
sigPremium
join:2001-05-05 | reply to Randy Bell
That's fine, Randy. I just take exception to the characterization that anyone who does not prefer or is wary of the use of HTML email as a standard (with the known potential for security issues) "hates lovely things."
Just as many caution others not to just download files willy nilly from any source, even if one has an updated AV, it's not entirely outrageous or an offense against aesthetics to suggest that wholesale use of HTML email might not be one's preference.
Perhaps one day Mele's email will appear on display in the Louvre but I still prefer text email not just for potential security reasons but because IMO it's cleaner (OE 6 does a nice job of presenting HTML emails as text IMO) and easier for me to read. I frankly prefer to read emails that way without slogging through someone else's idea of "cute" or "lovely." And yet, I still appreciate a Seurat or Monet...
Now back to my Rushkin.... | |
| reply to Randy Bell
Hi Ran. Mele is not under attack People do enjoy HTML email and attachments between friends all the time and she is obviously responsible about when and where to use it. As I said, I have no problem with that. My peeve is with people who DO NOT know when or how to turn it off when inappropriate.
Some friends I have prefer not to receive any HTML e-mail whatsoever, and I respect their reasons for that. They have their e-mail client set to read in plain text only, in which case, any HTML shows up many times as an attachment, unknown to the sender (because it is not really an attachment). I believe OE does this, though I do not use it. In fact, I found that my Juno e-mail converts my messages to HTML automatically and I needed to find out how to turn it (HTML) off when sending e-mail to those who are sensitive to receiving HTML e-mail. The article has some nice instructions on how to do that.
.........
Gordon , thanks for the info on the blinking envelope link - I about went nuts trying to figure out what that was because it isn't explained anywhere to a non-Incredimail user (or in the e-mail itself). It was a link - I did not click it as the sender was unknown to me. Glad I didn't miss anything important
--
It takes a disaster to make a woman out of a female | |
|
