Ok, so aside from hawk and blake, I'm likely the only one who will get excited about this
but after troubleshooting some e-mail formatting difficulties while forwarding through several different servers (which I still haven't solved) I found out that my website's e-mail software for webmail clients supports what is very nearly plain-text-only emails by default.
We've all gotten spam e-mails, right? And they sometimes include images that display even when you have "display images" set to off? Or otherwise behave strangely with funny not-quite-text stuff on either side of them?
None of us really pay attention to it anymore because we're so used to spam being weird, but it's worth being slightly more careful about if you can. Explanation follows:
There's a way to report a LOT of information about your e-mail client/the time you opened the message/where the message went and how/who you forwarded it to or replied to/etc just because you opened an email and there was an image in it.
Most e-mail programs have a bunch of "don't display images", "don't use HTML formatting" and "don't open attachments by default" options. Good idea in principal, but noone really uses any program that's a pain in the ass unless they're being paid for it at work. So since everyone has e-mail, the real key to making people pay for or use your e-mail product is making it easy to use, right?
Good business strategy, really. Everyone is focused on ease of use nowadays.
But that means that occasionally programs just, for lack of a better term, decide what they're doing FOR you no matter what your settings are set at. Because warning you about something or generating an error message makes your program look hard to use. The kind of stuff we complain about to our IT departments. "It's telling me something is wrong".
So a lot of stuff is written to just "assume" that you or it knows what you or it is doing. These sorts of assumptions are where people figure out how to abuse other people who use computers.(See my earlier reference to e-mail clients displaying images when I have "display images" turned off.)
So is the only real solution to avoiding any exploit here installing an e-mail client that outputs nothing but plaintext and converts all raw data into plaintext?
Probably not, because noone would use it, no matter how safe it was. Even a mix between the two using a a freely available semi-popular e-mail client I can, in one mouse click, get information like this:
thunderbird meta info
This is a very small and easy part of how the government tracks down ch!ld pr0nagraph3rs and other wanted criminals if you know anything about what to do with it.
Now, let's face it, most abusive cracking types (the people they call hackers on the news. Again, see this if you have the Mediocracy's Ambiguity Definition Syndrome which is common and infectious, especially among republocrats) have more exploitative things to do, but having that available for every e-mail means that I have the option to read through it just like any script that's coded up and run on a computer noone has to touch until they want a specific list of stuff out of it.
Notice how it says "X-Yahoo-Profile"?
That's your yahoo account name....or gmail, or msn, or nearly everything else.
So why is all of this important?
because I discovered tonight that my webserver's webmail puts nearly everything in straight text.
Even HTML tags, javascript code, css formatting, and active X controls are shoved into as much plain text as they allow.
It's a good start on not letting spammer referencing images pwn the hell out of my inbox.
We've all gotten spam e-mails, right? And they sometimes include images that display even when you have "display images" set to off? Or otherwise behave strangely with funny not-quite-text stuff on either side of them?
None of us really pay attention to it anymore because we're so used to spam being weird, but it's worth being slightly more careful about if you can. Explanation follows:
There's a way to report a LOT of information about your e-mail client/the time you opened the message/where the message went and how/who you forwarded it to or replied to/etc just because you opened an email and there was an image in it.
Most e-mail programs have a bunch of "don't display images", "don't use HTML formatting" and "don't open attachments by default" options. Good idea in principal, but noone really uses any program that's a pain in the ass unless they're being paid for it at work. So since everyone has e-mail, the real key to making people pay for or use your e-mail product is making it easy to use, right?
Good business strategy, really. Everyone is focused on ease of use nowadays.
But that means that occasionally programs just, for lack of a better term, decide what they're doing FOR you no matter what your settings are set at. Because warning you about something or generating an error message makes your program look hard to use. The kind of stuff we complain about to our IT departments. "It's telling me something is wrong".
So a lot of stuff is written to just "assume" that you or it knows what you or it is doing. These sorts of assumptions are where people figure out how to abuse other people who use computers.(See my earlier reference to e-mail clients displaying images when I have "display images" turned off.)
So is the only real solution to avoiding any exploit here installing an e-mail client that outputs nothing but plaintext and converts all raw data into plaintext?
Probably not, because noone would use it, no matter how safe it was. Even a mix between the two using a a freely available semi-popular e-mail client I can, in one mouse click, get information like this:
thunderbird meta info
This is a very small and easy part of how the government tracks down ch!ld pr0nagraph3rs and other wanted criminals if you know anything about what to do with it.
Now, let's face it, most abusive cracking types (the people they call hackers on the news. Again, see this if you have the Mediocracy's Ambiguity Definition Syndrome which is common and infectious, especially among republocrats) have more exploitative things to do, but having that available for every e-mail means that I have the option to read through it just like any script that's coded up and run on a computer noone has to touch until they want a specific list of stuff out of it.
Notice how it says "X-Yahoo-Profile"?
That's your yahoo account name....or gmail, or msn, or nearly everything else.
So why is all of this important?
because I discovered tonight that my webserver's webmail puts nearly everything in straight text.
Even HTML tags, javascript code, css formatting, and active X controls are shoved into as much plain text as they allow.
It's a good start on not letting spammer referencing images pwn the hell out of my inbox.