[thelist] HTML EMail templates

aardvark roselli at earthlink.net
Wed Mar 21 10:51:02 CST 2001

> From: "Green, Janet" <JGreen at DesMoinesMetro.com>
> Aardvark, or anyone really, could you outline briefly what some of the
> security issues *are* with this type of thing? For those of us
> unfamiliar with the lingo, how does an html-based email provide direct
> access to your OS? And to whom? 

well, think of the biggest email viruses we've seen... things like 
Melissa only affect Windows95+ machines running Outlook...

the reason is that Outlook will use IE's engine to render HTML 
email, and that includes rendering/running any embedded script... 
so if someone includes the script of Melissa in a script block in an 
HTML email, you run the risk of hosing your machine...

granted, most of those viruses are people double-clicking the .vbs 
attachment, but you can still cause some hassle...

now, aside from hacking, there are other concerns... think of bad 
JavaScript that crashes browsers, or bad HTML as well... as it gets 
rendered by Outlook and the IE engine, you've just crashed 
Outlook and all open Explorer windows... plain text email wouldn't 
have done that...

and there are many security issues with just plain ol' HTML and 
JS, as well... just look at the dozens of patches MS has released 
for IE (and, by the law of syllogism, Outlook)... that alone should 
indicate something's not truly safe...

however, if you run another OS or mail client, you can be pretty 
clear of all this hassle... but i use Pegasus Mail, and you should 
see how it tries to render HTML email... it makes Amaya look 
positively state-of-the-art... no self-respecting marketer would send 
an HTML email if he/she saw how it rendered in a non-Outlook 
email client...

> Seems to me that any or all of these situations will apply to a good
> percentage of your marketing department's audience (particularly the
> complaints about Outlook, one of those pervasive Microsoft products,
> and particularly anything implying a possible security problem).


> Obviously, this would render their "fancy emails" either useless,
> unreadable, or annoying. Good reasons all not to do it!! :)

exactly... if they are emailing a savvy crowd, like us on the list, 
many of those people will *not* be happy, and if they are anything 
like me, get added to the bozo filter...

sometimes i even send their HTML spam back to them, and all the 
email addresses i can find on their site, hopefully to prove that it 
can be damn annoying...

More information about the thelist mailing list