A practical example of why HTML e-mail is a bad idea
Tuesday, March 31, 2009 11:33 AM
Viewing e-mail messages without rendering HTML formatted content can be a simple, easy, and effective security technique.
I received a phishing e-mail the other day, and it reminded me why I use mutt as my mail user agent.
The headers and text of the email look like this:
Delivered-To: unknown
Envelope-to: me@example.com
Delivery-date: Wed, 11 Feb 2009 09:45:07 -0700
Reply-To:
From: "service@paypal.com"
Subject: Account Expired ! Please renew your account !
Date: Wed, 11 Feb 2009 11:48:20 -0500
X-Priority: 1
X-MSMail-Priority: High
X-Mailer: Microsoft Outlook Express 6.00.2600.0000
X-MimeOLE: Produced By Microsoft MimeOLE V6.00.2600.0000
Bcc:
X-OriginalArrivalTime: 11 Feb 2009 16:45:05.0698 (UTC)
FILETIME=[17964020:01C98C68]
X-user: ::::0.0.0.0:host.example.net::::::
<html>
<head>
<meta http-equiv="Content-Language" content="en-us">
</meta><meta http-equiv="Content-Type" content="text/html; charset=windows-1252">
<title></title>
</meta></head>
<body>
<font face="Arial, Helvetica, sans-serif" size="2">Dear Member,<br />
<br />
Your PayPal account has expired. <br />
You must renew it immediately or your account will be closed. <br />
If you intend to use this service in the future, you must take action at once!<br /> To continue <a href="http://example.org/files/liaz/index.php">click
here</a>, login to your PayPal account and follow the steps.<br />
<br />Thank you for using PayPal!<br />
The PayPal Team<br />
<br />
</font><font face="Arial, Helvetica, sans-serif" size="2">Please do not reply
to this email. This mailbox is not monitored and you will not receive a respons.
For assistence, log in to your PayPal<br />
account and click the Help link located in the top right corner of any PayPal
page.</font><font face="Arial, Helvetica, sans-serif" size="2"><br />
<br />
PayPal Email ID PP3573</font>
</body>
</html>
Obviously, I have changed all the domain names and IP addresses (other than PayPal's domain name) to protect my privacy and to protect any of you from accidentally visiting a phishing site. I don't want my readers getting infected because of my articles, after all.
The highlighted snippet contains a link. If you look at it closely, you'll notice that's not a PayPal URL in the link--something you wouldn't necessarily notice if you viewed the e-mail with HTML rendered, which would just look like this:
This isn't exactly the cleverest phishing attempt in the world. It contains spelling errors, and targets something that most security-aware people will immediately recognize as a common subject of phishing e-mail messages. A more well thought out attempt might fool someone who doesn't habitually look at the plain text of e-mail, however.
In general, legitimate e-mail messages with HTML formatting come with a plain text version as well these days. When signing up for mailing lists and other mass-notifications, it is almost always possible to choose whether you get e-mail in plain text or HTML form. The exceptions are almost always phishing e-mail.
Some people may get more HTML formatted e-mail than others, of course, but for most of us there really isn't any need to render HTML for all e-mail messages. In my case, in fact, HTML formatting is a very accurate predictor that an e-mail I receive is unwanted, and I use HTML formatting as part of my spam filtering criteria.
In my list of basic e-mail security tips from almost a year ago, I mentioned that one should avoid letting HTML render in your e-mail client. Take this as an object lesson in the kind of threat HTML e-mail can present.
Chad Perrin is an IT consultant, developer, and freelance professional writer. He holds both Microsoft and CompTIA certifications and is a graduate of two IT industry trade schools.
A practical example of why HTML e-mail is a bad idea
erm....these are now easily detected automatically in any popular html email client available today.....
Posted by Marc on Tuesday, March 31 2009 02:52 PM