Stardate 20010910.1714 (On Screen): HTML-encoded email is evil. There is nothing whatever that it can do which we actually need to do, and it opens its users up to endless abuses. As soon as I could find a reasonable one, I dumped OE and NavMail and switched to a mail program that doesn't support it, and I'll never again use one that does. One form of abuse is the ever-popular Active-X control invoked by email, which downloads a program from a site and runs it locally. ActiveX has no important security; such a program can do anything at all. I've seen such things a lot (which don't get executed by my non-enabled mail program).
Another fun thing that can be done with HTML-encoded email is to embed "bugs" in it. That's an image reference to a small (sometimes invisible) image file on a server. Often the reference will have a ? parameter attached to it with some keynumber. The number will be generated uniquely for each email address that the spam is sent to, and what this does is to permit the server to associate email addresses with IPs, since the requrest for the image contains the IP from which it came; and it also gives that server the opportunity to set a cookie on your system which contains an ID for you. Thereafter, that company can tell what sites you visit and send you additional spam "appropriate to your interests". Fun fun fun!
HTML-abuse in email has gotten so bad that Hotmail has instituted filtration to remove Javascript from email received by it. But some clever guys have shown a way to bypass that (the latest in a long line of ways of evading the filter), and it is insidious indeed: they have embedded JavaScript in the "From" line of a message. (Hotmail was already filtering the Subject.) Even better, it gets executed when you look at your mail box; you don't even have to open the offending mail message. The real answer here is obvious: Eliminate HTML completely; stop trying to filter it to let "innocuous" HTML through and stop "hostile" HTML; you're never going to be able to fill all the security cracks that way. (discussion in progress)
