Rack of Ethernet switches.

Why HTML E-Mail is Dangerous

HTML e-mail is very dangerous

HTML e-mail will guarantee that you get more spam.

This is because of something called a "web bug". But if you won't just take my word for it and turn off HTML, keep reading...

Let's say that someone sends you an e-mail message that really contains the following:

From: moron@yourcompany.com
Subject: I'm not working!

<h1>Yo, Whassup??</h1>
I got <b>no</b> work done today because I wasted the whole day looking at <a href="http://www.youtube.com/">http://www.youtube.com/</a>
<p style="background: #ff6eb4; color: #800000">
That Youtube is really <b>PHAT!</b>
&mdash; Tony

That's a silly message with a bunch of HTML mark-up code generated by the sender's fancy e-mail tool. But how will that message appear in your e-mail tool?

It should appear literally as it does above! You should see the HTML tags. Your e-mail tool should not render the HTML into the supposedly pretty picture that it describes. That is, it should look like the above and NOT like this:

From: moron@yourcompany.com
Subject: I'm not working!

Yo, Whassup??

I got no work done today because I wasted the whole day looking at http://www.youtube.com/

That Youtube is really PHAT!

— Tony

Why does this matter?

The simple answer is this: If your e-mail tool renders HTML, then you WILL get more spam.

Therefore you should turn OFF HTML rendering and see messages as their literal content like the first version above.

Oh, I can hear the wailing already....

"I have to use HTML formatting, because I can't get my point across in English prose without special fonts and colors!"
— Then you are an idiot and should not be using computers.

"But my boss insists that I use HTML formatting!
— Then your boss is an idiot.

"But my company cannot function without HTML formatting!
— Then your entire company is based on idiocy.

"But, but, fancy HTML formatting is more important to me than computer security or reducing spam or anything else, and by golly, I REALLY want to use it because then I can use those funny 'smiley face' pictures!"
— Then you probably should not be allowed out in public unsupervised.

Not that I feel strongly about this, but HTML E-mail is the Kardashian of electronic communication. Supposedly it's "all about style", but really it has very little substance and is mostly pure tackiness and not really pretty at all. Meanwhile it almost never accomplishes anything worthwhile.

Climb down off your soapbox and explain why it will bring more spam!

Fine, here is a real spam message that I received. I have kept all the headers in here, which allows us to see that it started from IP address Hmmm, whois tells us that this spam was sent from:

FDC Servers.net, LLC
OrgID:      FDCSE
Address:    141 West Jackson Blvd, Suite 1135
City:       Chicago
StateProv:  IL
PostalCode: 60604
Country:    US

It started on a machine named hedra.slmhosting.net, then made a few hops through insightbb.com, my ISP at the time. It was really sent to my e-mail address, which I have changed to target@insightbb.com because the spammers use robots to scrape web pages for e-mail addresses. I will, however, include the e-mail addresses of support@fdcservers.net and abuse@fdcservers.net here, since it was their system that spammed me and they should share in the delight of being spammed.

Back to the HTML analysis. Below is the message, click here to open a literal copy of the message. Examine the highlighted very last line of content below:

From mailsiparis@istanbulbilisim.com.tr Thu Jun 14 16:38:26 2007
Return-path: <nobody@hedra.slmhosting.net>
Received: from mta4.manage.insightcom.com ([])
        by msb1.manage.insightcom.com
        (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
        with ESMTP id <0JJN00M3N805PR80@msb1.manage.insightcom.com> for
        target@insightbb.com; Thu, 14 Jun 2007 16:38:29 -0400 (EDT)
Received: from asav05.insightbb.com ([])
        by mta4.manage.insightcom.com
        (Sun Java System Messaging Server 6.2-6.01 (built Apr  3 2006))
        with ESMTP id <0JJN00LZY804EZS0@mta4.manage.insightcom.com> for
        target@insightbb.com (ORCPT target@insightbb.com); Thu,
        14 Jun 2007 16:38:29 -0400 (EDT)
Received: from unknown (HELO hedra.slmhosting.net) ([])
        by aa05.insightbb.com with ESMTP; Thu, 14 Jun 2007 16:38:28 -0400
Received: from nobody by hedra.slmhosting.net with local (Exim 4.66)
        (envelope-from <nobody@hedra.slmhosting.net>)
        id 1Hyw5K-0003dV-Bk	for target@insightbb.com; Thu,
 14 Jun 2007 16:38:26 -0400
Date: Thu, 14 Jun 2007 16:38:26 -0400
From: "mailsiparis@istanbulbilisim.com.tr" <mailsiparis@istanbulbilisim.com.tr>
Subject: Istanbul Bilisim A.S Bahar Kampanyalari Kacirilmayacak Firsatlar
X-Sender: <mailsiparis@istanbulbilisim.com.tr>
To: target@insightbb.com
Reply-to: "mailsiparis@istanbulbilisim.com.tr"
Message-id: <E1Hyw5K-0003dV-Bk@hedra.slmhosting.net>
MIME-version: 1.0
X-Mailer: PHP 4
Content-type: text/html;
Content-transfer-encoding: 8BIT

<META http-equiv=Content-Type content="text/html; charset=windows-1254">
<META content="MSHTML 6.00.6000.16441" name=GENERATOR></HEAD>
<BODY bgColor=#ffffff leftMargin=0 topMargin=0 marginwidth="0" marginXeight="0"><!-- ImageReady Slices (maillcd.jpg) -->
<TABLE id=Table_01 Xeight=1116 cellSpacing=0 cellPadding=0 width=800 border=0>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_01.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_02.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=150 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_03.jpg" width=286 border=0></A></TD></TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=459"><IMG Xeight=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_04.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=458"><IMG Xeight=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_05.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=470"><IMG Xeight=262 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_06.jpg" width=286 border=0></A></TD></TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=474"><IMG Xeight=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_07.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=451"><IMG Xeight=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_08.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=302"><IMG Xeight=268 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_09.jpg" width=286 border=0></A></TD></TR>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=448"><IMG Xeight=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_10.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=329"><IMG Xeight=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_11.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/lcd_content_detail.asp?content_id=402"><IMG Xeight=278 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_12.jpg" width=286 border=0></A></TD></TR>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_13.jpg" width=290 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_14.jpg" width=224 border=0></A></TD>
<TD><A href="http://www.istanbulbilisim.com.tr/"><IMG Xeight=158 alt="" src="http://reklam.istanbulbilisim.com.tr/mailreklam/images/maillcd_15.jpg" width=286 border=0></A></TD></TR></TBODY></TABLE><!-- End ImageReady Slices -->
<P> </P>
<P align=center>Istanbul Bilisim A.S. Yaz Kampanyalari</P>
<P align=center>Bu Maili almak istemiyorsaniz asagidaki unsubscribe linkine tiklayiniz...</P><div align='center' style='font-face: verdana;'>
<a href='http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/index.php?what=doUn&email=target@insightbb.com&c=Ym9iLmNyb213ZWxsQGluc2lnaHRiYi5jb20=&t=1&nId=9'>Unsubscribe</a>
 | <a href='http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/index.php?what=login&email=target@insightbb.com'>Change Subscription Preferences</a>
</BODY></HTML><img src="http://www.reklam.istanbulbilisim.com.tr/mwsubscribe/track.php?su=31&s=112332" width="1" Xeight="1">

Ahah! Look at what that last line would do if you used an e-mail tool that rendered HTML.

Congratulations! You just sent the message su=31&s=112332 to the spammer's server. Everyone who got this message got unique numbers embedded in their message. What does it mean when you make this request of the spammer's server?

I read my spam, please send more!

Turn off that HTML rendering!

Could things be even worse?

Sure! If you are so reckless that you use Outlook as your mail tool, you are making things much easier for the attacker.

Generally speaking, Explorer has the most insecure design of any web browser, and it appears that it also has the greatest security-related software implementation problems. Averaged over time, any other browser will be more secure. Most people like Firefox, which isn't perfect but is far less insecure than Explorer.

Now, it turns out that Outlook uses some of the fundamentally insecure modules of Explorer, and there is really nothing you can do about that. So while you are downloading Firefox, then you need to also download Thunderbird, the accompanying e-mail tool.

And don't forget to disable any HTML rendering of your messages!

Back to the Security Page