Firewall Wizards mailing list archives
Re: HTML Emails and Firewall Security
From: "Bill Royds" <broyds () rogers com>
Date: Wed, 30 Jul 2003 21:41:50 -0400
The new Microsoft Outlook client has several levels of HTML filtering from text only to "html only with no images or script or other links" to html with no script but with embedded images to full blown HTML. The second level (HTML formatting for text but no other HTML) is probably the best for most users. It allows some structure in a message (heading, italic, bold, tabular data) to help convey information in a more readable fashion than plain text, but limits the effects of scripts or web bugs. ----- Original Message ----- From: "Paul Robertson" <proberts () patriot net> To: "Ron Suarez" <rsuarez () videotron ca> Cc: <firewall-wizards () honor icsalabs com> Sent: Wednesday, July 30, 2003 8:54 PM Subject: Re: [fw-wiz] HTML Emails and Firewall Security On Wed, 30 Jul 2003, Ron Suarez wrote:
Hi all, I've been reading that HTML email can compromise network security. Because
Well, to be more accurate, bugs in applications that handle HTML can be used to compromise network security.
if this, some companies filter out html email. Even Microsoft has decided
to
disable the HTML function in the default installation of upcoming versions of Microsoft Outlook.
That's interesting, I hadn't heard that, but I applaud it wholeheartedly.
I'm curious how many of you also see this as a threat to your network and also filter out html emails?
I've seen a few products that do that, I've had things in place ready to do that if there was an immediate threat, but haven't seen it necessary to do so.
I am also seeing more and more B2B marketing departments send html email (eNewsletters) as part of their strategy. I'm thinking that their emails aren't being received properly by their clients or received at all.
Better than 90% of the spam I get is HTML, I've considered bouncing it automatically from the list too.
What are your thoughts?
HTML is fine for Web pages, but the parsing of it, along with the active content payload makes it dangerous. I wouldn't actively block it, but I'd consider actively breaking it (I've run the old FWTK proxy with the Hitachi patches for active stuff for Web browsing) - I don't think there's much that you lose by removing all the tags or changing them to comments. It's not allowd on the list because of the concerns about active content embedded within it more than anything (and it's annoying if you don't use an HTML-enabled mail client.) Paul ---------------------------------------------------------------------------- - Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- HTML Emails and Firewall Security Ron Suarez (Jul 30)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 30)
- Re: HTML Emails and Firewall Security Bill Royds (Jul 31)
- Re: HTML Emails and Firewall Security Gary Flynn (Jul 31)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 31)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 30)