[svlug] Viruses (was: virus FUD)

kmself@ix.netcom.com kmself at ix.netcom.com
Mon May 8 01:54:08 PDT 2000


On Sat, May 06, 2000 at 11:06:24PM -0700, Jonathan Cobb wrote:
> To further criticize the author of the linuxplanet article:
> 
> >      What's worse is that there is almost no way of avoiding opening
> >      HTML e-mail, at least in Netscape Messenger.... So HTML mail has
> >      some ugly side effects, and they are largely the same on Linux 
> >      as they are in Windows. 
> 
> Hmmm... and these "ugly side effect" would be?  Besides slow loading
> times, and (if you haven't disabled JavaScript) the occasional annoying
> popup window, are there any real hazards to viewing HTML?  Any more than
> you'd have surfing to the same page in your main browser window?  I
> doubt it.  Most of the really nasty holes in JavaScript have been
> plugged -- like the one in NN2 that allowed a form with a "mailto"
> action to post itself to the originating webserver, thus giving the
> server your email address! -- so even JavaScript is pretty safe these
> days.  
> 
> I'd be curious if anyone else knows of any significant "ugly side
> effects" that can be perpetrated by simple HTML/JavaScript.

There are several problems which come to mind:

 - The above mentioned slow loads, etc., and impacts on network
   performance, particularly on dialup connections.

 - Javascript is bad enough of itself.  There are some potential 
   exploits which have been uncovered in the past, for example, the 
   infamous CrackMonkey dual-boot wups-we're-sorry exploit.

 - In the particular instance of spam, it's possible (and judging from
   URLs I've seen, becoming common practice) to encode either pages or
   image files with distinct URLs which allow for receipt-verification
   of specific mail items.  This is as good as saying "hi, yes, I'm a
   valid email address, spam me please".

Using Mutt, I've taken to filtering all HTML email content through
'less' prior to viewing in a browser, whether console or graphical.

This probably isn't a significant threat, but it's an additional step to
personal privacy and spam reduction.

Note that the distinction is that having a page (or URL) sent to you is
not something that happens as a matter of course when you're
webbrowsing.  You're selecting content, it's not selecting you.  This
relationship is reversed in email.

-- 
Karsten M. Self <kmself at ix.netcom.com>         http:/www.netcom.com/~kmself
    What part of "Gestalt" don't you understand?
    http://gestalt-system.sourceforge.net/
GPG fingerprint: F932 8B25 5FDD 2528 D595  DC61 3847 889F 55F2 B9B0
-------------- next part --------------
A non-text attachment was scrubbed...
Name: not available
Type: application/pgp-signature
Size: 232 bytes
Desc: not available
Url : http://lists.svlug.org/archives/svlug/attachments/20000508/991e0b24/attachment.bin


More information about the svlug mailing list