ietf-asrg
[Top] [All Lists]

[Asrg] Discouraging HTML-burdened E-mail

2003-06-19 23:58:37
What I find bizzare is the persistent equating of turning off HTML by
default with banning HTML.

Fair enough.  But even if all MUAs turned off HTML by default, spammers
would continue to use HTML.

In that case, it makes it an EVEN MORE reliable indicator of mail that most 
people probably don't want (especially unsolicited).  :-)

Getting back to Gordon Peterson's proposal, he suggests a mechanism which
would discourage the use of HTML and attachments, by forcing people to
explicitly give others permission to send them those types of messages.

Exactly.  (IF they wanted to allow those senders to send them that type of 
stuff. which they might not).

This is meant to reduce the effectiveness of spam and address-harvesting
techniques, and increase the effectiveness of content filters.

At least it would mean that address harvesters would not get NEARLY so many 
E-mails through, as long as spammers continued to employ all their familiar 
HTML-based tricks, deceptions, and obscuring techniques.

Unfortunately, I think the vast majority of computer users have absolutely
no idea what HTML is.  

All the more reason they shouldn't triple to quintuple the carrying cost of 
their E-mail due to using it inadvertently.

As a sysadmin, I've tried to explain it to people,
and their eyes glaze over. They also have trouble grasping the notion of
'plain text', i.e. a format that doesn't support all the things they
normally think of as being available in 'text' (which for them means what's
available in Microsoft Word).  Once they understand the severe limitations
of this wonderful 'plain text' format which I'm encouraging them to use, the
first thing they want to know is how to make sure that they never use it.
They *like* the fact that when you reply to a message, Outlook puts the
quoted text in a different colour; they feel that it makes messages easier
to read.  To them, right angle-brackets look like something out of the Stone
Age.

Again, if they WANT to enable HTML-burdened mail, for specified correspondents, 
they CAN.  And easily, I'd hope.  

Frankly, I think that if people observed a DIRECT correlation between 
re-enabling HTML and a 10x increase in the amount of spam in their inboxes, I'd 
bet that most of them would figure out that it just wasn't worth it.

Imagine Sally User, who is a customer service representative, or a
freelancer.  Her ISP starts offering the proposed permissions service.  She
has no idea what HTML is, but she gathers that it's something about reducing
spam, so she accepts the default permissions, which are quite restrictive.
Suddenly people who write to Sally find that their messages bounce, with an
automated reply saying: 'Please send me a plain-text message asking for
permission to send me HTML email or attachments.' 

Actually, a better bounce message would say something like:

  "Your message is returned to you because you have either sent attachments or 
bulky and annoying HTML-burdened formatting.  As a responsible way to help 
reduce the volume of spams, viruses, worms and trojans, I will gladly accept 
unsolicited E-mails if they are not in HTML-burdened format and if they don't 
contain unexpected attachments.  If you NEED legitimately to send me 
HTML-burdened mail or attachments, you'll need to clear that with me in 
advance....

  "Thank you for your understanding, and your help in us all working together 
in 
reducing the scourge of spam and viruses from the Internet.

  "[If you don't understand what HTML means in your E-mail or how to turn it 
off 
in your outgoing E-mail, contact your ISP for more information, or else see the 
web site at http://www.stopspam.org/noHTML.html ] "

These correspondents have no idea what this means (remember, they don't know 
what HTML is, either), 

The bounceback message could refer them to a Web site which would explain the 
problem, and explain how to turn off HTML formatting for the most popular 
E-mail 
clients.

and are put off by the fact that their email was rejected.  

I think you need to explain in the bounceback WHY it was rejected, and WHY the 
rejection is in ALL of our MUTUAL interest to do so.

...So they simply take their business somewhere else, to another company or 
freelancer who doesn't reject their email.  

I'm sure that the spammers lurking here on this list are desperately hoping 
that 
everyone will cling tenaciously to the "need" to receive HTML-burdened E-mail 
and attachments from any-and-all, including untrusted/unknown, senders.  The 
*great* majority of spam being sent out COUNTS on that!

...When Sally finds out, she's horrified, and quickly sets her permissions to 
accept anything from anyone.

IF she does that (and doing so ought to produce a CLEAR warning that it will 
hugely increase the amount of spam she receives) then AT LEAST the spam monkey 
is off the back of Sally's ISP, and she can't legitimately bitch about getting 
a 
lot of spam... since SHE made the CONSCIOUS CHOICE to defeat the anti-spam, 
anti-worm, anti-virus provisions offered.

I suspect that most people, if they understood that restrictive permissions
would cause legitimate messages to bounce, would opt for giving full
permissions to all senders.

A *vanishingly* small percentage of "legitimate" messages from 
unknown/untrusted 
senders NEED to have HTML, attachments, or encoded text bodies.

Again, you might have a point, IF the filter still let unchanged quantities of 
spam to arrive in Sally Stupid's inbox.  But if she saw her spam decrease 
HUGELY 
when the ISP turned on the feature, and then saw it come back with full 
vengeance after she defeated the feature... I suspect that she'd pretty quickly 
learn to appreciate the value in it... and decide that it was worth her trouble 
to understand it.

As for making content filtering more effective, it would be easy for content
filters to strip out all the HTML tags, comments, JavaScript, etc. from a
message before filtering.  

Indeed, although some of what they WANT TO SEE is in the HTML and scripting... 
for example, a script that creates a "known spammer domain" URL dynamically.  
Another case are a large number of andomly generated, bogus HTML tags (and 
often 
in the middle of words!) which are only there to obscure content.... a 
near-certain indicator that the E-mail in question is spam, rather then 
legitimate.  You don't really WANT to eliminate them, if they're there... you 
can learn a lot by taking a closer look at 'em.

No need to actually parse the HTML.  (I'd be surprised if there weren't 
content filters that do this already.)

Might be, but it's slower and longer (especially if you're going to try to 
emulate scripts etc to see what they 'might' produce... and that is a slippery 
slope indeed.)  My present filter takes a pretty good look at the HTML, and 
strips most (but not all!) of it from the incoming messages.  It generally 
strips the stuff that doesn't reveal much about the nature of the spam (or 
legitimacy) of the E-mail.

Finally, even if this proposal worked exactly as planned, why couldn't
spammers do just fine with ASCII?  

They could, but:

   1)  it's harder to obscure the content

   2)  most URL tricks become unusuable

   3)  ActiveX and scripting become unusable

   4)  Obscured URLs become more obvious and suspicious when copied-and-pasted 
manually
  
   5)  font size, color, and related tricks become unusble

   6)  message-in-image-format becomes unusable

   7)  all Web bugs are suddenly unavailable

   8)  popups and the like are unavailable

   9)  they can't steal real-looking graphics from Ebay, PayPal, or other 
"legitimate" Web sites

  10)  people are more inclined to think twice before copying-and-pasting a URL 
compared to just clicking on it

  11)  clutter-obscuring the message with HTML comments, bogus nonsensical HTML 
tags, and the like become unusable

The Nigerian 419 spammers and their imitators have been using ASCII all 
along, 
and if they were a bit more clever about their wording, it would be quite 
difficult to filter.

Indeed.  But PRESENTLY a lot of the wording (if plain ASCII) is fairly easy to 
filter, and that would probably be even more true if spammers were practically 
speaking constrained to plain ASCII text.  Spammers defeat that kind of thing 
by 
sending (for example) an E-mail which contains an Image tag to a block of text 
stored as a GIF or JPG file, which content scanners can't do much with.

Again, I think this is all really beside the point.  We're here to come up
with a mechanism to stop unsolicited bulk email.  Gordon's proposal is
concerned with some superficial properties that much spam currently has, 

I think that you're casually dismissing the fact that HTML and attachments are 
both KEY to a lot of the deceptions and misrepresentation that spammers (as 
well 
as virus authors) count upon.  Even if we only still got the same number of 
spam 
messages as at present, but in practice took out the alternative HTML-burdened 
content, we'd already reduce overall spam volume (in terms of bytes) by 
probably 
75-90%.  *I* certainly think that would be worthwhile!

but doesn't deal with the core issues: 'unsolicited' and 'bulk'.

I disagree.  The permission list would allow for a fairly strict default 
behavior, which would block the majority of unsolicited spams.

As for "bulk", I don't think that's automatically a behavior of spammers... 
indeed, more and more spam I've seen is individually created for each user (for 
example, having the recipient's name or e-mail address or at least their dowmin 
name somewhere in the spam).

Gordon Peterson                  http://personal.terabites.com/
1977-2002  Twenty-fifth anniversary year of Local Area Networking!
Support the Anti-SPAM Amendment!  Join at http://www.cauce.org/
12/19/98: Partisan Republicans scornfully ignore the voters they "represent".
12/09/00: the date the Republican Party took down democracy in America.



_______________________________________________
Asrg mailing list
Asrg(_at_)ietf(_dot_)org
https://www1.ietf.org/mailman/listinfo/asrg



<Prev in Thread] Current Thread [Next in Thread>