RE: Blocking HTML e-Mail

From: BRAD GRIFFIN (b.griffin@cqu.edu.au)
Date: 04/04/02


From: BRAD GRIFFIN <b.griffin@cqu.edu.au>
To: security-basics@securityfocus.com
Date: Thu, 4 Apr 2002 08:19:58 +1000 


> -----Original Message-----
> From: Paul Petersen [mailto:ppetersen@subdimension.com]
> Sent: Wednesday, 3 April 2002 11:03
> To: security-basics@securityfocus.com
> Subject: Blocking HTML e-Mail
>
>
> In our organization we are seeing increasing incidents of e-Mail rcv'd
> (mostly from eastern european sources)
> with embedded objects that are automatically opening (based
> on IFRAME tag) a
> browser window where the attachment
> is displayed.
>
*snip*
>
> But the real reason for this post is to ask what efforts have other
> organizations been making with respect to blocking
> HTML e-Mails. This issue and the simple fact that malicious
> code can be
> introduced into e-Mail via HTML based
> scripts (possibly introducing an e-Mail wiretap) scares me,
> but I have no
> real evidence of it being an serious issue to
> anyone but my own paranoid self.
>
> Yes I could theoretically implement the Outlook Security
> Patch and totally
> lock downOL/IE to not do anything with
> scripts (but not sure about IFRAME tags) and then look for
> another job.

Completely blocking HTML may not be necessary. Why not adjust the 'Restricted Sites' zone to disable all types of scripting etc, disable opening Iframes and generally place most other options as disabled or high security/safety, then place the mail app (I'm assuming OE or outlook) into the
restricted sites zone? This will help protect your workstations. If you are using XP and Outlook (2002), you can modify the program to only display plain text (check your options/config).

>
> Has anyone actually taken steps to screen HTML e-Mail or
> eliminate it from
> their orgs? Would love to know
> what drove the decision.

As for the mail server end, I'm sure you could implement some sort of filtering based on anything that contains HTML tags at the most restrictive, to script tags or IFRAME tags at a lesser level.

Cheers,
Brad