A practical example of why HTML e-mail is a bad idea

I received a phishing e-mail the other day, and it reminded me why I use mutt as my mail user agent.

The headers and text of the email look like this:

Delivered-To: unknown
    Envelope-to: me@example.com
    Delivery-date: Wed, 11 Feb 2009 09:45:07 -0700
    Reply-To:
    From: "service@paypal.com"
    Subject: Account Expired ! Please renew your account !
    Date: Wed, 11 Feb 2009 11:48:20 -0500
    X-Priority: 1
    X-MSMail-Priority: High
    X-Mailer: Microsoft Outlook Express 6.00.2600.0000
    X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
    Bcc:
    X-OriginalArrivalTime: 11 Feb 2009 16:45:05.0698 (UTC)

    FILETIME=[17964020:01C98C68]
    X-user: ::::0.0.0.0:host.example.net::::::

    <html>

    <head>
    <meta http-equiv="Content-Language" content="en-us">
    </meta><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
    <title></title>
    </meta></head>

    <body>
    <font face="Arial, Helvetica, sans-serif" size="2">Dear Member,<br />
    <br />
    Your PayPal account has expired. <br />
    You must renew it immediately or your account will be closed. <br />
    If you intend to use this service in the future, you must take action at once!<br /> 

To continue <a href="http://example.org/files/liaz/index.php">click
    here</a>, login to your PayPal account and follow the steps.<br />
    <br />

Thank you for using PayPal!<br />
    The PayPal Team<br />
    <br />
    </font><font face="Arial, Helvetica, sans-serif" size="2">Please do not reply
    to this email. This mailbox is not monitored and you will not receive a respons.
    For assistence, log in to your PayPal<br />
    account and click the Help link located in the top right corner of any PayPal
    page.</font><font face="Arial, Helvetica, sans-serif" size="2"><br />
    <br />
    PayPal Email ID PP3573</font>
    </body>

    </html>

Obviously, I have changed all the domain names and IP addresses (other than PayPal's domain name) to protect my privacy and to protect any of you from accidentally visiting a phishing site. I don't want my readers getting infected because of my articles, after all.

The highlighted snippet contains a link. If you look at it closely, you'll notice that's not a PayPal URL in the link--something you wouldn't necessarily notice if you viewed the e-mail with HTML rendered, which would just look like this:

This isn't exactly the cleverest phishing attempt in the world. It contains spelling errors, and targets something that most security-aware people will immediately recognize as a common subject of phishing e-mail messages. A more well thought out attempt might fool someone who doesn't habitually look at the plain text of e-mail, however.

In general, legitimate e-mail messages with HTML formatting come with a plain text version as well these days. When signing up for mailing lists and other mass-notifications, it is almost always possible to choose whether you get e-mail in plain text or HTML form. The exceptions are almost always phishing e-mail.

Some people may get more HTML formatted e-mail than others, of course, but for most of us there really isn't any need to render HTML for all e-mail messages. In my case, in fact, HTML formatting is a very accurate predictor that an e-mail I receive is unwanted, and I use HTML formatting as part of my spam filtering criteria.

In my list of basic e-mail security tips from almost a year ago, I mentioned that one should avoid letting HTML render in your e-mail client. Take this as an object lesson in the kind of threat HTML e-mail can present.

Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.