here's are two reasons why you shouldn't use html mail.
1. the other day, people on a teacher's list that i've been observing got a virus because it was embedded in HTML mail. no need to click on an attachment. they tucked malicious code right in their and no one knew, unless they were running antivirus software. however, had the person who initiated the virus in the first place been clever and changed a string of code or two, it might not have been detected.
2. below is an exploit that is used, actually, against eudora when a user use's Microsoft viewer to view HMTL mail. i send it on because i imagine that same can be done to AOL. but, it's also for others who run HTML and still don't understand why people would prefer that you didn't. it is hardly an issue of personal preference and taste.
why?
1. html takes up more bandwidth. 2. html can't be read by every mail reader. 3. html was /is crap foisted on the public by MS and AOhell. 4. html is susceptible to exploits that could--COULD--mean you get hacked by someone interested in whatever is on your machine --which might mean that they could get info to get into your employer's network (if they have one)
this was posted on Bugtrag which is a list for people who look for security holes in software that can be exploited to run, say, "malware" via invisible images tucked inside all that code. Monday, May 28, 2001
Silent delivery and installation of an executable on a target computer. This can be accomplished with the default installation of the mail client Eudora 5.1:
'allow executables in HTML content' DISABLED 'use Microsoft viewer' ENABLED
The manufacturer http://www.eudora.com has done a tremendous job of shutting down all possibilities of scripting and all other necessaries to achieve the following result. See:
http://www.securityfocus.com/bid/2490
However there still remains a number of good possibilities. One of which is the following that we find to be quite interesting.
1. Using the POWAH! of Internet Explorer, we create yet another HTML mail message as follows:
<FORM action="cid:master.malware.com" method=post target=new><button type=submit style="width:130pt;height:20pt;cursor:hand;background-color:transparent;border:0pt"><font
color=#0000ff><u>http://www.malware.com</u></font></button> </FORM> <img SRC="cid:master.malware.com" height=1 width=1><img SRC="cid:http://www.malware.com" height=1 width=1>
Where our first image is our executable. Our second image comprises a simple JavaScripting and ActiveX control.
What happens is, once the mail message is opened in Eudora 5.1, the two 'embedded' images are silently and instantly transferred to the 'Embedded' folder.
What we then do is create a simple html form and button. Owing to the POWAH! of Internet Explorer, we are able to create this button with a transparent background. In addition, we are able to dispose of the border of this button, which combined with the transparent background gives us nothing. That is, we have a fully functional form and button but we are not able to see it. We then create a fake link and incorporate that into our invisible button. We then embed our simple JavaScripting and ActiveX control into our invisible button and fire it off to our target computer:
before click
(screen shot: http://www.malware.com/heydora.jpg 62KB)
after click:
(screen shot: http://www.malware.com/hey!dora.jpg 62KB)
The recipient is then lulled into clicking on the "link". What that does is pull our html file comprising our simple JavaScripting and ActiveX control out of the embedded folder and into a new Internet Explorer Window.
Because our *.exe and our simple JavaScripting and ActiveX control reside in the same folder [the so-called "Embedded' folder], and because it is automatically opened in our new Internet Explorer Window, everything is instant.
No warnings. No nothing.
The *.exe is executed instantly.
2. Working Example. Harmless *.exe. incorporated. Tested on win98, with IE5.5 (all of its patches and so-called service packs), default Eudora 5.1 with 'use Microsoft viewer' ENABLED and 'allow executables in HTML content' DISABLED.
The following is in plaintext. We are unable to figure out how to import a single message into Eudora's inbox. Perhaps some bright spark knows. Otherwise, incorporate the text sample into a telnet session or other and fire off to your Eudora inbox:
http://www.malware.com/hey!DORA.txt
Notes: disable 'use Microsoft viewer'
A
t 01:14 PM 5/29/01 -0400, LeoCasey at aol.com wrote:
>For the plain text fundamentalists, a word on my travails.
>
>It is clear to me, after numerous attempts and endless hours, that AOL 6.0
>will simply not send a plain text message. I am also locked into AOL, for
>reasons I do not need to explain to all opnce again. Consequently, I went
>about, on the advice of folks on this list, attempting to obtain software
>which would allow me to send plain text messages. I purchased a copy of
>Eudora via downloading from the web, and my office computer crashed shortly
>thereafter, leaving me with zilch. This weekend I bought a hard copy of
>Eudora, and discovered -- after much grief in trying to make it work -- that
>it is impossible to access AOL, Compuserve or MSN through Eudora or other
>similiar software. That is something Eudora tells you after the fact.
>
>Having thrown close to $100 down the drain [probably enough to cover the cost
>of a week or two of LBO-Talk], I am putting a close to all attempts to find a
>plain text alternative. Please don't send other folks on similiar wild goose
>chases on other listservs.
