Posted by: Arian Eigen Heald
HTML email security, information security, Privacy, privacy on the web, web bugs
I’m a big advocate of disabling HTML in email messages. The marketing people scream because they can’t run their pretty code to sell products and convey appealing images. Other folks love being able to use those nice fonts you can’t use with Rich Text for signatures.
But a pretty face can’t justify the dangers in accepting HTML email. I’m not talking about Gmail, Yahoo or Hotmail – those are web clients for email. By default they accept HTML email, but you can turn that off.
Virus writers have known for years that the auto-open of Microsoft Outlook will “run” HTML code, including activating embedded web bugs.
The recent report on Web Tracking by the University of California at Berkeley spotlights the use of web bugs on web pages and HTML email messages. HTML Email can be written to:
1. Use a web bug to find out if a particular message has been read by someone and if so, when the message was read.
2. Use a web bug to provide the IP address of the recipient.
3. Use a web bug to report how often a message is being forwarded and read.
Spammers love web bugs, because they can be invisibly embedded in the email HTML code to do the following:
1. To detect if someone is viewed a junk Email message or not. People who do not view a message are removed from the list for future mailings.
2. To synchronize a Web browser cookie to a particular email address. This trick allows a Web site to know the identity of people who come to the site at a later date.
Plus, phishers can use HTML to disguise the link that they send in the email so that it “looks” like a legit site.
HTML in email can be turned off, and frankly, should be turned off.