Re: Help with AVG Anti-virus email scanning



Ertugrul =?UTF-8?B?U8O2eWxlbWV6?= <es@xxxxxxxx> wrote in news:fv9f6g$io9$03
$1@xxxxxxxxxxxxxxxxx:

bz <bz+csm@xxxxxxxxxxxxxxxxxxxx> wrote:

What's wrong with HTML emails without remote content? Why the
unnecessary inconvenience with ZIP files? I understand that in some
places (e.g. newsgroups) HTML mails are inappropriate, but why this
generalization?

Oh, here are a few of my reasons:

I've made a statement to most of these in my reply to Sebastian, so you
may want to have a look at <fv9cqq$7e8$02$1@xxxxxxxxxxxxxxxxx>, too.


1) [...] Information, not 'beauty' or 'cute'.

Formatting is not meant to make information beautiful or cute.

What is it meant for?



2) html enabled e-mail clients are executing programs that others have
sent you when they render html coded text.

Odd, mine doesn't. Maybe I misconfigured it?

Maybe you and I disagree a bit on what is meant by 'executing programs'.
And maybe you and I see different sides of the problem. You seem concerned
with protecting YOUR computer.

I, on the other hand, clean computers for people after they have been
infected due to clueless use.

3) it is practically impossible to 'foolproof' such rendering so as to
protect the viewer from all possible attacks.

HTML is much more complex than plain-text, yes. Still, we have very
good SGML and XML parsers, which are well tested and seldomly fail in a
way that can be exploited.

'Seldom' is too often.

Reinventing the wheel is a bad idea in this
place, so you would just use one of these parsers.

I see people spend hundreds of hours making their HTML 'look right' on
their screen. They don't realize that the format and display is platform
and browser dependent. Even when it is explained to them, they still don't
'get it' on a deep level and STILL try to make it 'look right' on their
screen. They don't 'get it' until I show them how it looks on another
computer.

Using HTML in e-mail is like gluing flowers on your car's tires.

It looks pretty until your try to use it.

Some of the flowers (roses for example) have thorns and poke holes in the
tires.

BTW, if it would be that bad, web browsers would be much more hazardous
to use.

They are much more hazardous than you imagine. I see infected machines
every day, usually infected by browsing or reading e-mails.


Consider that a mail-reader would only need a small subset of
the possible HTML extensions, e.g. it doesn't need stuff like JavaScript
and you may even decide to disregard things like CSS).

And do these things come 'turned off' by default?

I turn off all html rendering AND do not 'preview'. Not only that, but any
suspicious e-mail I 'view source' rather than opening.

And I use thunderbird. But the users in my department use Outlook and
Outlook express. Their machines get infected.

When I want to open a suspicious e-mail, I open it on a 'sandbox' machine
running under VMware or boot from a KNOPPIX cd.

4) embedded images in html can tell the sender 'an idiot just opened
the e-mail I sent them' so you just told the spammer that the e-mail
address is a good one. He can now sell it to other spammers.

Read the first sentence of my last reply again.

Your responsibility seems limited to your machines.

6) html can be coded so that the viewer sees one link while being sent
to a different place on the web.

How? Remember, we

You have a mouse in your pocket? Who is 'we'.
How would you get 40,000 students and 3,000 faculty/staff to 'practice safe
hex'?

ignore JavaScript for mails, and the destination
address is shown in the status bar.

That feature can be disabled. It can also be fooled and you seem to assume
that the user LOOKS at the status bar before they click on the link.
I'll bet that even YOU have 'clicked first', sometime.

7) Those that fight spam OFTEN use text only e-mail client in self
defense. I do.

That's okay. I do, too. Though I have an HTML plugin loaded, it
displays the plaintext parts by default, and displays nothing it there
is no plaintext part. I have to specifically select the HTML part, if I
want to view it.

Reason: Some HTML-enabled mail-readers format their plaintext parts
that horribly, that the HTML part is just much more readable.

You assume that all HTML rendering is good and readable. I was just looking
at a web page where text was overlaying other text.

Products
from the Outlook family are one example.

Microsoft's fault.


8) Some discard ALL html encoded and graphic encoded incoming e-mail,
unviewed.

Those people don't do serious business.

What you call 'serious business', some others might consider to be chicken
feed.

90% of my incoming business
emails have an HTML part.

If you handle your 'serious business' via e-mail, you have a problem.

E-mail never has been and never will be reliable. E-mails get lost.

That is why 'serious companies' do not allow the use of e-mail for 'serious
business'. It IS useful for some things but if you want to make sure your
message gets through, talk to them on the telephone, confirm via fax. Check
via e-mail to make sure the fax got through ok.

90% of my incoming spam has HTML. Eliminating HTML eliminates 90% of the
spam.

There are several other good reasons that I can't think of at the
moment but they are all related to 'microsoft thought it would be cool
to make messages pretty. They assumed a small offfice environment.'
Since they came up with that bright idea, many viruses have been
spread that way. They keep plugging holes in the dike, but there are
more hole yet to be discovered.

They were the first to use the MIME and HTML standards in that way. How
they did it was rather abusive, but we shouldn't demonize a technology
just because one damn company misimplemented it.

I don't demonize it 'just because....'
I 'demonize it' because it was a bad idea and has yet to be implemented
properly.
And because Microsoft continues to mis-implement it!

It (html via e-mail) was a bad idea to start with. It is STILL a bad
idea. Nothing I can think of will ever make it a good idea.

People like you said similar things when color TVs, CRT monitors (as
opposed to phosphor), LCD monitors (as opposed to CRT), graphics cards,
OpenGL, fancy user interfaces, mice, 32-bit processors and other things
came out. They are more complex and so more likely to fail, and we
would never really need them.

I have been playing with computers since 1964 and electronics longer than
that.
I have fixed those TVs etc for a living, done board repair on computers for
a living, programmed for a living.

I like 'new and improved' when it is really improved.

It's a matter of taste. Feel free to tell us your opinion, but remember
that your opinion is based on the state of things, not the other way
round.

You ASKED. I answered.

Of course, opinions are like noses, everyone has one.

That sounds like you'd like it to be different.

There are many things I would like to see improved.



--
bz

please pardon my infinite ignorance, the set-of-things-I-do-not-know is an
infinite set.

bz+csm@xxxxxxxxxxxxxxxxxxxx remove ch100-5 to avoid spam trap
.



Relevant Pages

  • Re: can we break the wordwrap limit in kmail?
    ... on dumb serial terminals on UNIX machines?" ... I can tell you why your life is actually interfered by my existance: ... HTML is a rendering language and its rendering depends on the ... computers from becoming the remote tools for people who _do_ wish to ...
    (comp.os.linux.misc)
  • Re: imo your All pathetic
    ... The "Pathetic" messages are cross posted on many newsgroups. ... My guess there are cryptic messages embedded in them for spying. ... Would you care to try to explain who that works in the non HTML ... takes some knowledge to know how to use computers. ...
    (rec.gardens)
  • Re: imo your All pathetic
    ... The "Pathetic" messages are cross posted on many newsgroups. ... My guess there are cryptic messages embedded in them for spying. ... Would you care to try to explain who that works in the non HTML ... takes some knowledge to know how to use computers. ...
    (rec.gardens)
  • Re: imo your All pathetic
    ... The "Pathetic" messages are cross posted on many newsgroups. ... My guess there are cryptic messages embedded in them for spying. ... Would you care to try to explain who that works in the non HTML ... takes some knowledge to know how to use computers. ...
    (rec.gardens)
  • Re: imo your All pathetic
    ... The "Pathetic" messages are cross posted on many newsgroups. ... My guess there are cryptic messages embedded in them for spying. ... Would you care to try to explain who that works in the non HTML ... takes some knowledge to know how to use computers. ...
    (rec.gardens)