[imp] HTML Mails

Eric Rostetter eric.rostetter@physics.utexas.edu
Wed, 10 Jul 2002 17:37:17 -0500


Quoting Tilo Lutz <TiloLutz@gmx.de>:

> Hi
> 
> Is it possible that emails with viruses can be activated
> if I allow viewing html-mails within imp?

Yes, unless you filter your email at your server.  Even then it can still
be possible if you bypass the filters somehow, like possibly with the
new fetchmail (Other Accounts) function).

> Most of my users use IE and don't care about security.
> But I have to repair their machines.

Enabling html viewing is indeed dangerous.  But it is also the most asked
for feature from the users.  So there is a trade off there.  You need
to judge the risks versus "benefits" of it.

There's a good chance that even if you don't have IMP show the html in-line,
that the determined user will still find a way to open the html in their
browser and infect their machine...  So you can't protect everyone completely.
But you can *help* protect them, and disabling in-line html is a good start
at that.

-- 
Eric Rostetter
The Department of Physics
The University of Texas at Austin

"TAD (Technology Attachment Disorder) is an unshakable, impractical devotion
to a brand, platform, product line, or programming language. It's relatively
harmless among the rank and file, but when management is afflicted the damage
can be measured in dollars. It's also contagious -- someone with sufficient
political clout can infect an entire organization."

--"Enterprise Strategies" columnist Tom Yager.