Thread: Help with AVG Anti-virus email scanning
View Single Post
  #21 (permalink)  
Old 04-30-2008, 05:16 PM
Ertugrul =?UTF-8?B?U8O2eWxlbWV6?=
Guest
  
Posts: n/a
Default Re: Help with AVG Anti-virus email scanning
bz <bz+csm@ch100-5.chem.lsu.edu> wrote:

> > Formatting is not meant to make information beautiful or cute.
>
> What is it meant for?

Making it more readable, highlighting parts of it, influencing the way
it is interpreted.


> >> 2) html enabled e-mail clients are executing programs that others
> >> have sent you when they render html coded text.
> >
> > Odd, mine doesn't. Maybe I misconfigured it?
>
> Maybe you and I disagree a bit on what is meant by 'executing
> programs'.

In my view, you can talk about 'executing programs' as soon as
interpreting data goes beyond changing or visualizing it.


> And maybe you and I see different sides of the problem. You seem
> concerned with protecting YOUR computer.

Yes, that's true.


> I, on the other hand, clean computers for people after they have been
> infected due to clueless use.

Maybe you would be unemployed if all computer users were clueful.


> >> 3) it is practically impossible to 'foolproof' such rendering so as
> >> to protect the viewer from all possible attacks.
> >
> > HTML is much more complex than plain-text, yes. Still, we have very
> > good SGML and XML parsers, which are well tested and seldomly fail
> > in a way that can be exploited.
>
> 'Seldom' is too often.

'Seldom' is the best you can get. Computer programs are always
error-prone.


> > Reinventing the wheel is a bad idea in this place, so you would just
> > use one of these parsers.
>
> I see people spend hundreds of hours making their HTML 'look right' on
> their screen. They don't realize that the format and display is
> platform and browser dependent. Even when it is explained to them,
> they still don't 'get it' on a deep level and STILL try to make it
> 'look right' on their screen. They don't 'get it' until I show them
> how it looks on another computer.
>
> Using HTML in e-mail is like gluing flowers on your car's tires.
>
> It looks pretty until your try to use it.
>
> Some of the flowers (roses for example) have thorns and poke holes in
> the tires.

Well, all this is not HTML's fault. It's the fault of how people
interpret and use it.


> > BTW, if it would be that bad, web browsers would be much more
> > hazardous to use.
>
> They are much more hazardous than you imagine. I see infected machines
> every day, usually infected by browsing or reading e-mails.

That's, as you said, because of clueless use.


> > Consider that a mail-reader would only need a small subset of the
> > possible HTML extensions, e.g. it doesn't need stuff like JavaScript
> > and you may even decide to disregard things like CSS).
>
> And do these things come 'turned off' by default?
>
> [...]

No, and again, that isn't HTML's fault.


> >> 4) embedded images in html can tell the sender 'an idiot just
> >> opened the e-mail I sent them' so you just told the spammer that
> >> the e-mail address is a good one. He can now sell it to other
> >> spammers.
> >
> > Read the first sentence of my last reply again.
>
> Your responsibility seems limited to your machines.

Yes, but again, you might need to find another job, if those problems
weren't present.


> >> 6) html can be coded so that the viewer sees one link while being
> >> sent to a different place on the web.
> >
> > How? Remember, we
>
> You have a mouse in your pocket? Who is 'we'.
> How would you get 40,000 students and 3,000 faculty/staff to 'practice
> safe hex'?
>
> > ignore JavaScript for mails, and the destination address is shown in
> > the status bar.
>
> That feature can be disabled. It can also be fooled and you seem to
> assume that the user LOOKS at the status bar before they click on the
> link. I'll bet that even YOU have 'clicked first', sometime.

Sure, but that's okay. I notice it in the address bar of my browser at
the latest. But your point is true. In a larger scale, that can surely
be abused. My point, however, is that it isn't HTML's fault. Used
properly, HTML emails are useful.


> > That's okay. I do, too. Though I have an HTML plugin loaded, it
> > displays the plaintext parts by default, and displays nothing it
> > there is no plaintext part. I have to specifically select the HTML
> > part, if I want to view it.
> >
> > Reason: Some HTML-enabled mail-readers format their plaintext parts
> > that horribly, that the HTML part is just much more readable.
>
> You assume that all HTML rendering is good and readable. I was just
> looking at a web page where text was overlaying other text.

But if the plaintext part is totally unreadable (e.g. each paragraph in
one long line, as Outlook tends to format the plaintext parts), then I
prefer to read the HTML part, which is well readable in most cases.


> >> 8) Some discard ALL html encoded and graphic encoded incoming
> >> e-mail, unviewed.
> >
> > Those people don't do serious business.
>
> What you call 'serious business', some others might consider to be
> chicken feed.

Depends. You will have lots of customers and allies, who don't have a
clue about electronic data processing. They usually use Outlook, and
they usually send HTML mails. Some of them even prefer email over other
media. Sad, but true.

Not viewing the HTML parts automatically is a good idea. Dropping mails
unread just because they contain an HTML part is a bad idea. You may
want to drop emails, which _only_ contain an HTML part, though. I
haven't seen many clients do or even allow that, but for example AtMail
does.


> > 90% of my incoming business emails have an HTML part.
>
> If you handle your 'serious business' via e-mail, you have a problem.

I get quite a few customer requests via email. Not my fault, I have a
telephone, but still some customers prefer that way.


> E-mail never has been and never will be reliable. E-mails get lost.
>
> That is why 'serious companies' do not allow the use of e-mail for
> 'serious business'. It IS useful for some things but if you want to
> make sure your message gets through, talk to them on the telephone,
> confirm via fax. Check via e-mail to make sure the fax got through ok.

I don't initiate 'serious business' via email, but some people seem to
prefer it over other media. And I've also never said anything about the
quality of the email medium. I just say that IMO there is nothing wrong
with HTML emails.


> 90% of my incoming spam has HTML. Eliminating HTML eliminates 90% of
> the spam.

True.


> I like 'new and improved' when it is really improved.

Improvements often come with problems, at least with more complexity.


Regards,
Ertugrul.


--
http://ertes.de/


Reply With Quote