Rack of Ethernet switches.

Why HTML E-Mail is Dangerous

HTML e-mail is very dangerous

HTML e-mail will guarantee that you get more spam, because of something called a "web bug". It also puts you at much greater risk of phishing. You could just take my word for it and turn off HTML, but keep reading for the details. Let's look at the phishing risk first.

I recently received an email apparently from Amazon Prime. If I had HTML enabled, it would appear like this:

Fake message supposedly from Amazon Prime, trying to trick me into giving up my Amazon credentials.

It looks convincing, as it tells the email tool to load graphics from Amazon's web site.

However, with my Thunderbird email tool in plain text mode as usual, I see this:

   From Amazon Prime <noreply.ngtd-kwwwk-systemskdw-lontedksd.10312714@countryamericaunitedstates028.com>
Subject Update Your Payment On Your Amazon.com
     To payments-update@amazon.com
    Bcc Me <bob.cromwell@comcast.net>

--000000000000d35fa205a7d576c5
Content-Type: multipart/alternative; boundary="000000000000d35f9f05a7d576c3"

--000000000000d35f9f05a7d576c3
Content-Type: text/plain; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

[image: <font style='color:transparent;font-size:0px'>36995</font>Аm<font
style='color:transparent;font-size:0px'>1591898549286525</font>azon<font
style='color:transparent;font-size:0px'>159189854923677</font>.com] 75
Accοunt1591898549286525 36995Securіty1591898549286525

Greetings 1591898549286525frοm159189854923677 36995Аm1591898549286525azon
159189854923677

We have placed a hold on 75yοur1591898549286525 36995Аm1591898549286525azon
159189854923677 75accοunt1591898549286525 and all pending orders.

We took this action the billing 1591898549286525іnfοrmatіοn you provided
did not match the 1591898549286525іnfοrmatіοn on file wіth15918985498970
the card issuer.

To resolve this issue, please 75verіfy159189854923677 now wіth15918985498970
the billing name, address, and telephone number registered to 75yοur
1591898549286525 payment card. if you have recently moved, you may need to
update this 1591898549286525іnfοrmatіοn wіth15918985498970 the card issuer.

If you didn't 75verіfy159189854923677 now today to access 75yοur
1591898549286525 75accοunt1591898549286525 please rest assured that we
haven't given any access to 75yοur1591898549286525 36995Аm1591898549286525
azon159189854923677 75accοunt1591898549286525 and all 75yοur1591898549286525
1591898549286525іnfοrmatіοn is still secure.
We look forward to seeing you again soon.

Sincerely,

Customer Service Department,
36995Аm1591898549286525azon159189854923677
Please note: this e-mail was sent 1591898549286525frοm159189854923677 a
159189854923677nοtіfіcatіοn-only address that cannot accept incoming
e-mail. Please do not reply to this message.

--000000000000d35f9f05a7d576c3
Content-Type: text/html; charset="UTF-8"
Content-Transfer-Encoding: quoted-printable

<div dir=3D"ltr"><p>=C2=A0</p>

<table id=3D"container" style=3D"width:500px;border-collapse:collapse;color=
:#333333;margin:0px auto" cellpadding=3D"0">
<tbody>
<tr>
[...]

As it goes into the HTML segment, we see it loading graphics from Amazon:

<td class=3D"logo" style=3D"padding:18px 0px 0px 0px;width:115px;vertical-a=
lign:middle;font:14px Arial,sans-serif" rowspan=3D"2"><img style=3D"border:=
 0px;" src=3D"https://images-na.ssl-images-amazon.com/images/G/01/x-locale/=
cs/te/logo._CB152417367_.png" alt=3D"<font style=3D'color:transparen=
t;font-size:0px'>36995</font>=D0=90m<font style=3D'colo=
r:transparent;font-size:0px'>1591898549286525</font>azon<fo=
nt style=3D'color:transparent;font-size:0px'>159189854923677<=
/font>.com"></td>

And then, if we care to look for it, lots of transparent text trickery to obscure what's going on, evading spam detection and misleading the human reader of the rendered result. The string "Amazon" is always broken up with hidden numeric strings,

<p style=3D"text-align:justify;font:14px/18px Arial,sans-serif;margin:4px 0=
px 14px">We have placed a hold on <span style=3D"color:transparent;font-siz=
e:0px">75</span>y=CE=BFur<span style=3D"color:transparent;font-size:0px">15=
91898549286525</span> <span style=3D"color:transparent;font-size:0px">36995=
</span>=D0=90m<span style=3D"color:transparent;font-size:0px">1591898549286=
525</span>azon<span style=3D"color:transparent;font-size:0px">1591898549236=
77</span> <span style=3D"color:transparent;font-size:0px">75</span>acc=CE=
=BFunt<span style=3D"color:transparent;font-size:0px">1591898549286525</spa=
n> and all pending orders.</p>
<p style=3D"text-align:justify;font:14px/18px Arial,sans-serif;margin:4px 0=
px 14px">We took this action the billing <span style=3D"color:transparent;f=
ont-size:0px">1591898549286525</span>=D1=96nf=CE=BFrmat=D1=96=CE=BFn you pr=
ovided did not match the <span style=3D"color:transparent;font-size:0px">15=
91898549286525</span>=D1=96nf=CE=BFrmat=D1=96=CE=BFn on file w=D1=96th<span=
 style=3D"color:transparent;font-size:0px">15918985498970</span> the card i=
ssuer.</p>

Down below the HTML version is an encoded PDF file, which is what I showed you at the top. The HTML section has some clumsy wording:
We took this action the billing you provided did not match the card issuer.
The scammers got the PDF image from someone with better English skills.

This scam attempt is far from convincing in plain text mode!

Big businesses often employ experts in data science to protect their systems from hackers and malware. An online masters of data science with a specialization in cybersecurity is often required for cybersecurity positions in large companies.

How does HTML mode enable spam?

If your e-mail tool renders HTML, then you WILL get more spam. Turn off HTML rendering and see messages as their literal content.

Not that I feel strongly about this, but HTML E-mail is the Kardashian of electronic communication. Supposedly it's "all about style", but it leads to messages with very little substance and is mostly pure tackiness and not really pretty at all. Meanwhile it almost never accomplishes anything worthwhile.

Let me climb down off my soapbox and explain why it will bring more spam

Here is a real spam message that I received. I have kept all the headers in here, which allows us to see that it started from IP address 67.159.5.238. Hmmm, whois tells us that this spam was sent from:

FDC Servers.net, LLC
OrgID:      FDCSE
Address:    141 West Jackson Blvd, Suite 1135
City:       Chicago
StateProv:  IL
PostalCode: 60604
Country:    US

It started on a machine named hedra.slmhosting.net, then made a few hops through insightbb.com, my ISP at the time. It was really sent to my e-mail address, which I have changed to target@insightbb.com because the spammers use robots to scrape web pages for e-mail addresses. I will, however, include the e-mail addresses of support@fdcservers.net and abuse@fdcservers.net here, since it was their system that spammed me and they should share in the delight of being spammed.

Back to the HTML analysis. Below is the message, Examine the highlighted very last line of content below:

From mailsiparis@istanbulbilisim.com.tr Thu Jun 14 16:38:26 2023Return-path: <nobody@hedra.slmhosting.net>
Received: from mta4.manage.insightcom.com ([172.31.249.158])
        by msb1.manage.insightcom.com
        (Sun Java System Messaging Server 6.2-6.01)
        with ESMTP id <0JJN00M3N805PR80@msb1.manage.insightcom.com> for
        target@insightbb.com; Thu, 14 Jun 2023 16:38:29 -0400 (EDT)
Received: from asav05.insightbb.com ([172.31.249.123])
        by mta4.manage.insightcom.com
        (Sun Java System Messaging Server 6.2-6.01)
        with ESMTP id <0JJN00LZY804EZS0@mta4.manage.insightcom.com> for
        target@insightbb.com (ORCPT target@insightbb.com); Thu,
        14 Jun 2023 16:38:29 -0400 (EDT)
Received: from unknown (HELO hedra.slmhosting.net) ([67.159.5.238])
        by aa05.insightbb.com with ESMTP; Thu, 14 Jun 2023 16:38:28 -0400
Received: from nobody by hedra.slmhosting.net with local (Exim 4.66)
        (envelope-from <nobody@hedra.slmhosting.net>)
        id 1Hyw5K-0003dV-Bk	for target@insightbb.com; Thu,
 14 Jun 2023 16:38:26 -0400
Date: Thu, 14 Jun 2023 16:38:26 -0400
From: "mailsiparis@istanbulbilisim.com.tr" <mailsiparis@istanbulbilisim.com.tr>
Subject: Istanbul Bilisim A.S Bahar Kampanyalari Kacirilmayacak Firsatlar
X-Sender: <mailsiparis@istanbulbilisim.com.tr>
To: target@insightbb.com
Reply-to: "mailsiparis@istanbulbilisim.com.tr"
   <mailsiparis@istanbulbilisim.com.tr>
Message-id: <E1Hyw5K-0003dV-Bk@hedra.slmhosting.net>
MIME-version: 1.0
X-Mailer: PHP 4
Content-type: text/html;
  charsetiso-8859-1=""
Content-transfer-encoding: 8BIT


<HTML><HEAD><TITLE>maillcd</TITLE>
<META http-equiv=Content-Type content="text/html; charset=windows-1254">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff leftMargin=0 topMargin=0 marginwidth="0" marginXeight="0"><!-- ImageReady Slices (maillcd.jpg) -->
<TABLE id=Table_01 Xeight=1116 cellSpacing=0 cellPadding=0 width=800 border=0>
<TBODY>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_01.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_02.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_03.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=459"><IMG Xeight=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_04.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=458"><IMG Xeight=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_05.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=470"><IMG Xeight=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_06.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=474"><IMG Xeight=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_07.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=451"><IMG Xeight=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_08.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=302"><IMG Xeight=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_09.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=448"><IMG Xeight=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_10.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=329"><IMG Xeight=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_11.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=402"><IMG Xeight=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_12.jpg" width=286 border=0></A></TD></TR>
<TR>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_13.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_14.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_15.jpg" width=286 border=0></A></TD></TR></TBODY></TABLE><!-- End ImageReady Slices -->
<P> </P>
<P align=center>Istanbul Bilisim A.S. Yaz Kampanyalari</P>
<P align=center>Bu Maili almak istemiyorsaniz asagidaki unsubscribe linkine tiklayiniz...</P><div align='center' style='font-face: verdana;'>
<a href='http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/index.php?what=doUn&email=target@insightbb.com&c=Ym9iLmNyb213ZWxsQGluc2lnaHRiYi5jb20=&t=1&nId=9'>Unsubscribe</a>
 | <a href='http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/index.php?what=login&email=target@insightbb.com'>Change Subscription Preferences</a>
</div>
</BODY></HTML><img src="http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/track.php?su=31&s=112332" width="1" Xeight="1">

Ahah! Look at what that last line would do if you used an e-mail tool that rendered HTML.

Congratulations! You just sent the message su=31&s=112332 to the spammer's server. Everyone who got this message got unique numbers embedded in their message. What does it mean when you make this request of the spammer's server?

I read my spam, please send more!

Turn off that HTML rendering!

Could things be even worse?

Sure! If you are so reckless that you use Outlook as your mail tool, you are making things much easier for the attacker.

Generally speaking, Explorer has the most insecure design of any web browser, and it appears that it also has the greatest security-related software implementation problems. Averaged over time, any other browser will be more secure. Most people like Firefox, which isn't perfect but is far less insecure than Explorer.

Now, it turns out that Outlook uses some of the fundamentally insecure modules of Explorer, and there is really nothing you can do about that. So while you are downloading Firefox, then you need to also download Thunderbird, the accompanying e-mail tool.

And don't forget to disable any HTML rendering of your messages!


Back to the Security Page