Google
A A A A A
WEB ARTICLES
2 bounce or...
Anti Virus Advice
Apache Configuration
Dual booting an Acer Aspire
Fluid Tables
Freeware
HTML e-mail is EVIL
Online Security
Netiquette
RAMpage
Spam Fighting
SSIs & XSSIs
SSI, XSSI & CGI variables
Tips


Follow georgedillon on Twitter







eBay Sniper
 

HTML e-mail is STILL evil!!!

 

Introduction

(or "Comment: RE: Your "Seven reasons..." site, a question. Just who the hell do you think you are?")

In late 1999 I subscribed to the evolt.org web designer's list. I was struck by the vehemence of opposition to HTML email expressed by many on the list, with some half-seriously describing it as 'evil'. A year later I understood their reasoning, but many of my newbie friends didn't, and after a particularly nasty month in which I became a telephone help-line for several virus-infected acquaintances I decided to write this and the accompanying articles - Netiquette, Spam Fighting and Basic Online Security - so that I didn't have to keep repeating the same advice. My intention was to have some URLs I could send to my errant friends, instead of wasting hours on the 'phone or typing out the same advice in emails.

However all those articles have been found and linked to by bigger (and better) sites than mine and as a result general traffic to this page has soared... and so has the number of anonymous abusive responses! OK I can take abuse - after all, in my real life I'm a provocative performer and you should read some of my bad reviews - but the recent sudden surge in referrals (and abuse - e.g. the above) has prompted me to rethink this article and after doing so my conclusion was that...

HTML email is still EVIL and it's getting worse!!!

The internet is a dangerous place for the unwary, the trusting and the naive but a safe haven for the lazy, the spiteful, the self-centered and the cowardly. One such individual sent me this:

SUBJECT: HTML email doesn't work

Gee, that's funny. The week my company (name withheld for privacy) switched to using HTML emails instead of plain-text for our marketing campaign offers our revenues took a dramatic leap and have pretty much tripled over the last year and half. I guess you just have to know what you're doing, or at least have some experience in these things. Your comments and ideas are very outdated.

Sincerely,
B. D. Satterfield
Online Creative Director for above unmamed software company

This message was carefully typed into my contact form, without a valid email address being entered, so there was no way I could return it or even reply to it, though I did trace the I.P. no of the sender to a known spammer.

The 'know what you're doing' jibe missed its mark since B.D. Satterfield (oh yes!) had clearly missed the purpose of my article and simple truth of my statement that 'HTML e-mail doesn't always work'. However the 'outdated' accusation WAS fair comment.

Two years ago I wrote that "it is hardly professional to ignore (or to be ignorant of) the negative impact of that message on the more informed members of your audience or the fact that a significant percentage will choose to instantly consign it to the waste basket or may never even receive it."

OK that was clearly wrong. But hey, I hadn't revised the page for more than a year and in that time the internet had changed radically... and not all to the good.

On the positive side, the internet is now cheaper, faster and bigger than ever. Unmetered access and widely available broadband, which were both 'a fantasy' in early 2000 are now becoming the norm, even here in the backwards UK. So the bandwidth issue, though still true, is of less concern than it was.

But that is the only positive. Unfortunately the cloud to that silver lining is that HTML mail is now more accepted, since fewer users will immediately notice the difference between a 5kb plain text or a 50kb HTML message. So... fewer notice... so fewer object... so more companies resort to HTML mail...

HTML email is now everywhere. But just because it is more accepted doesn't mean it's more acceptable.

On the negative side... the internet is now more dangerous than ever due to the increase in always-on connections in combination with the ignorance/complacency of new users of vulnerable systems (like the hacker-friendly WindowsXP) which can be hijacked for use as spam of DOS 'bots', PLUS the exponential growth in viral ingenuity and reproductivity, PLUS the refinement and ubiquity of user-tracking web-marketing technology (read 'spyware').

 

So what's wrong with HTML mail?

Before I list the 7 points, I want one make one thing as clear as I can. It's RECEIVING HTML mail that's the problem. SENDING HTML mail will not hurt you (unless you are still using a metered dial up connection) - it may even boost your company sales - but it also *may* hurt the people to whom you send it. So if you are happy to be ignorant, lazy, spiteful, self-centred and/or cowardly you can ignore the rest of this article and go and bask in you supercillious smugness. OTOH if you care at all about the people you send mail to, read on...

HTML email can be dangerous,
HTML email is not always readable,
HTML email wastes bandwidth
and
HTML email is simply not necessary.

These 4 points are as true now as they were 3 years ago and indeed they will ALWAYS be true while plain text exists as an alternative to HTML mail. (I hereby predict that M$ are designing Outlook Express 9 to ONLY accept HTML email - remember you read it here first!)

So here are the same seven points I made before, all still true though some details have been updated and expanded:

 

1. HTML e-mail is dangerous

If for no other reason, you should not send e-mail in HTML format because by doing so you are exposing your intended recipient(s) to the risk of catching a virus - a virus which you yourself may be unaware you have until you are told about it by someone you have infected (or until it alerts you to its presence by unleashing its payload).

Most of the fast-spreading internet-borne viruses propagate by automatically forwarding themselves to every address which they can find in your address book, and some even seek out every address in the body of every message in your inbox. Of course, they don't stop to ask your permission before doing this - the first symptom you'll spot is someone you've infected sending you an angry message saying you've given them a virus.

Unfortunatley the latest popular virus at the time of writing (k l e z) fakes the from address too, so you cannot warn (or accuse) unknowing senders of viruses, and you may also find yourself falsely accused.

But what has this to do with HTML mail?

For at least 3 years there have been viruses (namely Bubbleboy and kak.worm) which are triggered simply by viewing an HTML message in the preview pane of unpatched versions of Outlook Express. There are other ways of getting html functional email to automatically run code, by exploiting a vulnerability in the way the Internet Explorer engine (which Outlook and OE use to display HTML mail) handles IFRAMEs for example.

Since HTML can include scripts, HTML email is obviously more of a security risk than plain text, and the most recent viruses have made full use of this flaw.

2. HTML e-mail always wastes bandwidth

HTML e-mails are always at least twice the size of plain text mail, since they include both the plain text version and the same thing with embedded html markup tags. Don't believe me? Just look at the source code of any html mail you have received (in Outlook Express click File > Properties > Details > Message Source).

So YOU may have a big fat connection, but if you're sending your HTML mail to 5000+ addresses, some of your users will probably be on 56k or less metered dial-up connections, and your bloated message will cost them money.

3. HTML e-mail doesn't always work

Some popular e-mail readers (Pegasus Mail for one example) simply don't read HTML mail and others (such as Pocomail and even AOL) have difficulties displaying it properly.

The irony is that the applications which do read HTML well are precisely the ones which have the security holes. Why? ...because they render HTML... To do so they need to use some form of HTML rendering engine, usually one that is already resident on your system rather than one that is inbuilt. i.e. they use I.E. and Internet Explorer is so closely connected to the heart of the Windows OS that a security hole in it can be an open door to hard-drive trashing scripts.

4. HTML e-mail can connect to the internet by itself

If an HTML e-mail includes references to online images then (by default) Dial-Up Networking will try to connect to the internet to download those images. These images can also be used to set and retrieve cookies. O.K. So neither of these are your problem if you're the sender... but they can be very annoying if you're on the receiving end.

5. HTML e-mail renders slowly

Some mail apps (e.g. Outlook) can slow down considerably when rendering HTML. The need for an HTML parser has also led to code-bloat in email apps generally.

6. HTML usually looks like it has been designed by stoned amateur chimpanzees using Front Page Express with their feet

HTML e-mail offers the sender the opportunity to really go to town with their lack of design skills - unreadably small fonts, fonts that no-one else is likely to have, clashing colors, badly formatted image files etc. etc. By taking control of the appearance of e-mail away from the recipient they can prevent the sight-impaired from applying necessary user-accessability options...

7. Digested lists hate HTML mail

OK, this one's a little specific, but if you send an HTML email to a subscriber list which has a digested version (i.e. which bundles several postings together into a single longer email) then your message may well appear in the digested version with all its html tags - i.e. virtually unreadable... that is if the list administrator hasn't configured their server to automatically filter your offending format to oblivion.


What to do...

Sending HTML-formatted email is just not necessary. If the appearance of your message is important either put it on a website and mail the URL, or save it as an .rtf (or even a .pdf) document, zip that up and send it as an attachment to a plain text mail

So.. check in your email client's options for how to set 'Mail Sending Format' to 'Plain Text'...

...and how to turn OFF 'Reply to messages in the format in which they were sent'.

Here's how to stop sending (EVIL) HTML e-mail from Outlook Express.

With these settings you will still be able to send images and other attachments. And images attached to plain text mail will be displayed by most popular email clients.

 

Links:

Here are some related pages. The links may have gone bad since I wrote this article.

 
[ Pop-up a printable version of this page ]
7 reasons why HTML email is a bad thing
http://www.georgedillon.com/web/html_email_is_evil_still.shtml
[Updated - 12 April 2009]
Contact | Home | Kendo | Theatre | Web | Search

  Back to top    Back to top
Make payments with PayPal - it's fast, free and secure!
PageRank Checking Icon
georgedillon.com Webutation