CT Community Colleges - Information Security

Overview

Committees

ITPC

ISRAAC

ISPO Advisory Group

ISPO Working Groups

Report Incident

CCC Policies & Procedures

CT Community Colleges - Information Security - HTML Formatted Emails

Don't be fooled into believing E-mails like this one are innocent and are just letting the author of the E-mail show their creative side:

Not only do you pose a risk of being infected with a virus or worm by being a recipient of HTML formatted E-mails, but you also cause problems to recipients when you send out HTML formatted E-mails. For example, HTML formatted E-mails are much larger than Plain Text E-mails and therefore you fill up your and the recipient's inbox unnecessarily. You also cannot be sure that the recipient is even able to read HTML formatted E-mails let alone view it in the way that you intended it to be viewed.

Most of the functionality that people are using HTML formatted E-mails for, can be done by using other formatting (such as Plain Text and Rich Text) that does not have the bad side-effects that HTML formatting does.

As you can see, there are many evil things lurking behind HTML formatted E-mails. So many evil things in fact, that we're sure that after reading this article, you will follow the steps in the "What To Do" section and verify that you aren't configured to automatically send all your E-mails out with HTML formatting!

This advice applies whether you are sending E-mails to people within your own department, school, outside of our system or even from home for personal E-mail! If you take one thing away from this article, let it be this:

There is no need to use HTML formatting for every E-mail message you send.
Check your settings to see if you have HTML formatting as the default and change it to Plain Text if you do! If you want to learn more about why, read the rest of this article.

Top 6 Reasons Not To Use HTML Formatting in E-mails

1. You have no guarantee that your HTML formatted E-mail is even readable by the recipient. You DO have that guarantee when using Plain Text.

While HTML formatting might look good to you in your E-mail client, you can't be sure how it will look to the recipient or if the recipient can even read HTML formatted E-mails. Plain text E-mail messages can be read by any mail client without you, the sender, wondering how or if it will be interpreted by the recipient.

As an example, this is that same message shown above as it would appear to someone who's E-mail client cannot decode the HTML formatting:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD><TITLE></TITLE>
<META http-equiv=Content-Type content="text/html; charset=us-ascii">
<META content="MSHTML 6.00.2900.2523" name=GENERATOR></HEAD>
<BODY background=cid:567014217@15072005-0A21>
<DIV><FONT face=Arial
size=2></FONT><FONT face=Arial size=2></FONT></DIV>
<DIV><FONT face=Arial size=2></FONT> </DIV>
<DIV><BR></DIV>
<P><FONT face=Arial size=2>Hi there Marge! Long time no see. I just want to say
<FONT color=#ff0000><STRONG>HI!</STRONG></FONT></FONT></P>
<P><FONT face=Arial size=2>Talk to you later,</FONT></P>
<P><FONT face=Arial size=2>Millie</FONT></P></BODY></HTML>

2. Most functionality that you use HTML formatting for, can be done using Rich Text or Plain Text formatting instead.

Most people who use HTML formatting on purpose (we're not talking about those people that aren't aware that they are using HTML formatting because their E-mail client defaults to it), use it because they want the ability to use bold, indention, bullets, highlighting, text colors, clickable URLs, etc. in their E-mails.

All of these can be done using Rich Text formatting instead of HTML formatting. Actually, most people aren't aware that the sending of clickable URLs can actually be done in Plain Text formatting as well! Just type in the URL you want to be "clickable" by the recipient and most E-mail clients will allow the recipient to click on it to launch their web browser.

NOTE: The same warning holds true for Rich Text formatting as it does for HTML formatting: Just because you are sending the E-mail using Rich Text formatting, it doesn't mean that the recipient will read it as you expect. They may have their E-mail client configured to convert all mail to Plain Text to protect themselves from viruses etc.

3. HTML E-mails are the number one method of spreading viruses, worms or trojan programs.

Warnings about using HTML formatted E-mails have been around for years. You may remember the I Love You virus in 2000 that was able to infect users who read their mail using HTML when they previewed the message, they didn't even have to open an attachment to become infected!

HTML is code - not just text, like Plain Text or Rich Text E-mail is. The HTML code runs on your computer when you read (or even preview) the message. If someone embeds a virus or a trojan program into an HTML formatted E-mail, your E-mail client (Outlook) will run that code and infect your machine without you having to do anything more than read or preview the message.

To better protect yourself, security experts recommend disabling your "preview pane" and setting the default option to "view opened E-mails as Plain Text". Instructions and more information on the side-effects of doing this, can be found in the "What to do" section below.

Even though this does not affect you as the sender of the message, you don't know if others are protecting themselves from receiving HTML formatted E-mails and can't be sure how your E-mail is being interpreted by the recipient's mail client. It's better to just not use HTML formatted E-mails.

4. HTML E-mails are larger than Plain Text messages and fill up your and the recipient's inboxes.

HTML E-mails are anywhere from 2/3rds to 20 times larger than the same message in Plain Text. Therefore they take longer to download and use more space to store than Plain Text messages.

5. Personalized settings (like font type, font color, background, etc.) are not used when reading an HTML E-mail.

Many people personalize their E-mail client settings so that they can comfortably read their mail with a certain font, font size, color, background, etc. All of that is lost when they read an HTML formatted E-mail, because all of those settings are chosen by the sender of the message and are not set by recipient.

This could be problematic for people with a visual impairment who could not read the 8 point grey text on the blue background that may look good on the sender's screen.

6. You may be making it impossible and frustrating for people who read their E-mail using a PDA.

More and more people are reading their E-mail on PDAs (Personal Digital Assistants like the Palm Pilot). HTML formatted E-mails may not only be completely unreadable on PDAs, they also quickly fill up the memory of the PDA storing all the extra HTML formatting code.

What To Do

Now that you know all the evil things that come along with using HTML formatting in your E-mails, you probably want to verify that you aren't sending out all your mail as HTML and learn how to send out Rich Text E-mails when advanced text features are needed (like colors, bold or bullets).

You will also find instructions below for protecting yourself from viruses, worms or trojan programs embedded in HTML E-mails.

Check to make sure your mail client is not using HTML formatting by default.

For Microsoft Outlook 2003: Select Tools - Options, click the Mail Format tab. Make sure "Plain Text" is selected for "Compose in this message format:". If it's not, change it to "Plain Text" and click OK.

There are websites out on the Internet that list how to make the same change for other E-mail clients. For reference, here are two such websites:

http://www.birdhouse.org/etc/evilmail.html#thefix

http://www.expita.com/nomime.html#agent

If you don't understand why you should make Plain Text your default format, then go back and read the top reasons why you shouldn't use HTML E-mails.

How to use Rich Text formatting on a per-E-mail basis.

Once you've set your default format to Plain Text, every new mail message you compose will be in Plain Text. If you want to send a Rich Text E-mail so you can use the text formatting features: Bring up a "New Mail Message" window in Outlook 2003. Click on Format - Rich Text.

That will allow you to use Rich Text for that E-mail message without changing your default format from Plain Text.

NOTE: The same warning holds true for Rich Text formatting as it does for HTML formatting: Just because you are sending the E-mail using Rich Text formatting, it doesn't mean that the recipient can read it as you expect. They may have their E-mail client configured to convert all mail to Plain Text to protect themselves from viruses etc.

How to disable the Preview Pane.

To protect yourself from viruses, worms or trojan programs that are spread via HTML E-mails, disable the preview pane in your E-mail client: For Microsoft Outlook 2003: Select View - Reading Pane - Off

How to enable "view opened E-mails as Plain Text."

To protect yourself from viruses, worms or trojan programs that are spread via HTML E-mails, you can force your E-mail client to read all mail as Plain Text whether it was sent as HTML or Rich Text.

NOTE: Keep in mind that even though this is a great security measure to protect yourself from HTML embedded viruses, worms or trojan programs, you will not see ANY formatting, even when Rich Text formatting is used. By making this change, you will also make some messages difficult to read such as the Anti-Spam software's End User Digest.

For Microsoft Outlook 2003: Select Tools - Options, on the Preferences tab, click E-mail Options. In the E-mail Options window, select "Read all standard mail in Plain Text" and click OK.