spf-discuss
[Top] [All Lists]
<prev [Date] next>
[Advanced]
 <prev [Thread] next>

RE: [IETF] Allocation of the new RR type for SPF

2004-11-13 23:57:22
from [Guy] [Permanent Link] 
HTML allows spammers, or anyone to confirm you read the email.  They just
put a picture with a unique file name in the email, when the HTML viewer
accesses the file, they just confirmed the email address is good.

Phishing attacks have some odd HTML that puts a picture up that looks like
text that contains a URL that seems valid.  But clicking anywhere on the
picture opens the URL they want you to see, not the URL you think you are
clicking on.

HTML allows Java script, a text based reader would not process the evil
code.

HTML in the early days could be used to open any URL without any help from
you.  Just view the email, and the URL opens in a browser, from there they
can exploit you until it hurts!  But maybe only if you are running MicroSoft
stuff.  But most people do.

Guy

-----Original Message-----
From: owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[mailto:owner-spf-discuss(_at_)v2(_dot_)listbox(_dot_)com] On Behalf Of 
Hallam-Baker, Phillip
Sent: Saturday, November 13, 2004 10:56 PM
To: spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
Subject: RE: [spf-discuss] [IETF] Allocation of the new RR type for SPF




**************** REPLY SEPARATER ***************
This is completely off topic, but you pressed a button. Show 
me where HTML is a standard in email. It is anything but. 
HTML is the single biggest reason for all the virus and 
phishing problems we have today. HTML DOES NOT BELONG IN A 
MESSAGING SYSTEM.


There has never been an HTML virus, possibly a Java or Javascript virus but
those never had a place in HTML.

I have plenty of plaintext phishing samples. Most 419 scams are plaintext,
its only recently that THEY STOPPED USING ALL CAPS.

The viruses spread through executable MIME attachments. Executables have no
place in the email system. If people must send them then lets work out a way
to transport them safely. Either get a working anti-virus system or strip
them out entirely.

As for HTTP/0.9 we tried to make it obsolete back in 1993. The fact that
people still leap to its defense makes my point, however much you might like
to make something obsolete you will never manage it. Remember early on in
the SPF saga when people were bleating about it not working for UUCP? If
there ever was a technology that has no place today it would be UUCP but
there will always be some bearded wonder wearing flipflops who insists that
its all that he can use on his Altair and that therefore the world should
not deploy SPF.





-------
Sender Policy Framework: http://spf.pobox.com/
Archives at http://archives.listbox.com/spf-discuss/current/
http://www.InboxEvent.com/?s=d --- Inbox Event Nov 17-19 in Atlanta features
SPF and Sender ID.
To unsubscribe, change your address, or temporarily deactivate your
subscription, 
please go to
http://v2.listbox.com/member/?listname=spf-discuss(_at_)v2(_dot_)listbox(_dot_)com
[More with this subject...]
<Prev in Thread] Current Thread [Next in Thread>
Previous by Date:  Re: [IETF] Allocation of the new RR type for SPF, Frank Ellermann
Next by Date:  Re: Re: List of nominations for people to sit on the "SPF Leadership Council", Greg Connor
Previous by Thread:  Re: [IETF] Allocation of the new RR type for SPF, Frank Ellermann
Next by Thread:  RE: [IETF] Allocation of the new RR type for SPF, administrator
Indexes:  [Date] [Thread] [Top] [All Lists]