Security awareness: another reason to avoid HTML mail

On the face of it, this looks like a perfectly reasonable message with a perfectly reasonable URL from a perfectly reasonable address:

Dear Workopolis member,

Workopolis Technical Department requests you to complete Online Employer
Form.
This procedure is obligatory for all clients of Workopolis.
Please select the hyperlink and visit the address listed to access
Online Employer Form.

http://www.workopolis.com/database/employer_form

These instructions are to be sent to all Workopolis members.
—————————————————————
Copyright � 2007 workopolis.com. All Rights Reserved.

In reality, its HTML mail that is used to hide the real URL.
What I’ve shown in plain text above reads like this in HTML:

Please select the hyperlink and visit the address listed to access
Online Employer Form.


http://www.workopolis.com/database/employer_form?

What’s really there is http://www.workopolis.com.ieooo2.xz.cn/database/employer_form?session==79414285156108018779442998768454048168113142102426838

As you see, what you see and what you get aren’t the same.

My spam detector, spamassassin, is smart enough to spot this.
Its really crude spam!

X-Spam-Report: * 1.7 HOST_EQ_D_D_D_D HOST_EQ_D_D_D_D
  * 2.9 RM_hm_EmtyMsgid Message ID is empty, or just spaces – probable spamsign
  * 0.1 SPOOF_OURI URI: URI has items in odd places
  * 2.5 SARE_SPOOF_COM2COM URI: a.com.b.com
  * 2.0 MIME_HTML_ONLY BODY: Message only has text/html MIME parts
  * 3.0 URIBL_BLACK Contains an URL listed in the URIBL blacklist [URIs: ieooo2.xz.cn]
  * 1.0 MIME_HTML_ONLY_MULTI Multipart message only has text/html MIME parts

But the really important thing is that a HTML message can hide reality.

Why do I mention this? For most of us its obvious.

Well at a recent ISSA meeting I spoke with another CISSP, a security manager with a local organization that has an operating budget of over 200 Million dollars. All their internal mail is “HTML” – he says that’s the standard, so the MUAs read mail as HTML by default. Mail from his is in proper MIME format, the text part as well as the HTML part. I pointed out that this means his organization is paying extra for storage and that it gets multiplied when mail is cc’d. He just said “well its the corporate standard“.

Now the corporation may not care that its paying extra for all that storage, after all, storage is cheap.

But humans have always been the weak link. Someone might get mail like this and click on the URL. We’ve been telling users for years not to open unsolicited attachments, but they still do. Why would we think they won’t click on URLs in mail messages.

The reasons my colleague at the ISSA offered included “HTML offers formatting options that our users require. Plain Text does not.” But that was with no explanation of why they might need those options.

Personally I think that’s a specious answer. For EVERY message? We do fine here with plain text.

HTML mail represents a risk. User’s need to be educated to realize that. A baseline policy of “all mail should be html” also means all readers default to html and so can hide what’s really in the message. Not least of all, there have been bugs in the html rendering code in the past that have led to exploits. Does anyone really think that users won’t click on the URLs in mail from the outside?

Perhaps you also need a front-end ‘sanitizer’ like http://www.impsec.org/email-tools/procmail-security.html
or http://mailtools.anomy.net/ which is the one I recommend.

Perhaps you need to be wary about MIME e-mail in general, both HTML mail and attachments.

About the author

Security Evangelist