[plug] email message formats

Christian christian at amnet.net.au
Sun Dec 24 11:48:42 WST 2000 

On Sun, Dec 24, 2000 at 10:04:02AM +0800, Bret Busby wrote:
 
> Warnings have been broadcast, about browsers that wiew attachments
> inline, automatically running executable files that are included as
> inline attachments, and, similarly, the executable files being run, when
> clicked on. Transmission of viruses, etc...

Executable files?  If your browser will execute any sort of program
(with Java being a possible exception) then you have a real problem that
has nothing to do with viewing attachments inline.  For memory one of
the questions in the Web Security FAQ is "Should I set up /bin/csh as
the helper application for the MIME type for C-shell scripts?"  The
answer is obviously an emphatic "no".  I really don't think Netscape
under Linux will execute any sort of program (except JavaScript if you
have this switched on for mail messages -- which you shouldn't have)
unless it is specifically configured that way.

 
> I took your advice, and, enabled cookies to visit the Amway site (and,
> only that site). Only problem is that, when I have visited the site,
> since I made that decision, their server has been down on each occasion.
> Hmmm...

I never advised you to do that.  I only said I didn't think you had much
to be worried about.

 
> Sorry; wrong, Christian. If I get an inline attachment, I only click on
> it, if it is in an email from one of a select few people.

Do you only ever browse web sites from those select few people?
Netscape won't do anything magical with attachments in a mail message
that it won't also do with objects on a web page.

> > Seems like a small degree of
> > protection to me.
> 
> Every small measure helps, does it not? A stone wall is made up of many
> small stones, and, a fort is built out of many small rocks...

Absolutely.  But since there is virtually no difference in risk in
automatically opening inline attachments and browsing the web, I don't
see how I can say that one is reasonably safe and one is not.  If there
is a difference I'm not aware of then someone please point it out!

 
> I believe, from memory, that warnings have been posted, by CERT, or
> someone, about inline attachments, which are disguised, and which
> contain mailicious code.

It may be different in Internet Explorer.  I have a feeling it is but I
wouldn't know.

 
> If a cookie can identify a visitor to a website, and, result in the
> visitor being sent unsolicited email from various sources, one of which
> emails happens to contain malicious code, is that not a security
> violation?
> 

The cookie will not result in you getting spammed.  You obviously have
NO idea how cookies work.

More information about the plug mailing list