Firewall Wizards mailing list archives
Re: HTML Emails and Firewall Security
From: Paul Robertson <proberts () patriot net>
Date: Wed, 30 Jul 2003 20:54:33 -0400 (EDT)
On Wed, 30 Jul 2003, Ron Suarez wrote:
Hi all, I've been reading that HTML email can compromise network security. Because
Well, to be more accurate, bugs in applications that handle HTML can be used to compromise network security.
if this, some companies filter out html email. Even Microsoft has decided to disable the HTML function in the default installation of upcoming versions of Microsoft Outlook.
That's interesting, I hadn't heard that, but I applaud it wholeheartedly.
I'm curious how many of you also see this as a threat to your network and also filter out html emails?
I've seen a few products that do that, I've had things in place ready to do that if there was an immediate threat, but haven't seen it necessary to do so.
I am also seeing more and more B2B marketing departments send html email (eNewsletters) as part of their strategy. I'm thinking that their emails aren't being received properly by their clients or received at all.
Better than 90% of the spam I get is HTML, I've considered bouncing it automatically from the list too.
What are your thoughts?
HTML is fine for Web pages, but the parsing of it, along with the active content payload makes it dangerous. I wouldn't actively block it, but I'd consider actively breaking it (I've run the old FWTK proxy with the Hitachi patches for active stuff for Web browsing) - I don't think there's much that you lose by removing all the tags or changing them to comments. It's not allowd on the list because of the concerns about active content embedded within it more than anything (and it's annoying if you don't use an HTML-enabled mail client.) Paul ----------------------------------------------------------------------------- Paul D. Robertson "My statements in this message are personal opinions proberts () patriot net which may have no basis whatsoever in fact." probertson () trusecure com Director of Risk Assessment TruSecure Corporation _______________________________________________ firewall-wizards mailing list firewall-wizards () honor icsalabs com http://honor.icsalabs.com/mailman/listinfo/firewall-wizards
Current thread:
- HTML Emails and Firewall Security Ron Suarez (Jul 30)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 30)
- Re: HTML Emails and Firewall Security Bill Royds (Jul 31)
- Re: HTML Emails and Firewall Security Gary Flynn (Jul 31)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 31)
- Re: HTML Emails and Firewall Security Paul Robertson (Jul 30)