Keep HTML email on a short leash

Security

Like a good security manager, I’ve made sure that our email filters are solid. At the gateway we strip several dangerous extensions like .js and .vbs. That’s fairly effective for direct attachments but it provides no protection from HTML email.

What they do with HTML email is just put a link to the java script or VBScript and let the web browser engine download it when it renders the HTML code.

Five years ago you might have gotten away with banning HTML email but you won’t today. Now you’re stuck with implementing NIPS and HIPS to catch any bad code before it hits IE and gets executed. I’ve mirrored our file extension filters on the HIPS and that has been fairly effective in blocking access to these dangerous files. It breaks functionality of the email but I think that’s a fair price to pay for the level of security it provides. 9 times out of 10 I’ve found that this impacts advertisements that aren’t mission-critical communiques anyway.

A good place to start for your extension filters is Microsoft KB 262631.

posted by Michael on 06.21.07 @ 8:02 am |

*silently fumes about HTML in email…and embedded browsing in Outlook…and IE being a security disaster in itself…*

What I find best is when someone from marketing walks up and asks about mass-mailing an HTML-formatted email and if that is ok. “Sure, go ahead as long as it is not too big. But be aware that not every corporation allows HTML email to be viewable, and it might trigger some spam filters to block it.”

And the inevitable, “Our client got our emails but all of their users are seeing what looks like HTML code instead of our pretty email. Can you fix this?” Sure, don’t use damned HTML in your email missives. Otherwise, take it up with their IT on how you want them to allow HTML viewing in Outlook.

And after either of those events, the wide-eyed looks from them like you just told them you ran over their new puppy. And while that is fine the first time, they do it 5 times a year anyway, kinda like hoping the broken toaster fixes itself if you just leave it alone for a while to rest up…

/rant :)

By LonerVamp on 06.21.07 8:50 am

I feel your pain. I fought the HTML fight for about five minutes and realized it was a losing battle. The company I work for is a “creative” company and also a partnership, which is a dual-edged sword. We aren’t bound by many federal regulations but that means I have very few federal regulations to throw at them to push compliance. And being “creative” means they have to appear fashionable and as one guy told me, ‘your text-based email is ugly and boring’ (what would he say if he saw me using Pine? LOL)

Besides, in the grand scheme of things, I have bigger fish to fry, like P2P applications, remote management apps (like GoToMyPC) etc.

By Michael on 06.21.07 10:58 am

Yeah, I got over that fight pretty quick a few years ago. I keep it around silently though. :) I’m of the mind that SMTP is broken and dead, it just doesn’t know it yet.

By LonerVamp on 06.21.07 3:14 pm

[...] attacks. We filter email attachments based on MS KB262631 but attackers are increasingly using HTML email to bypass email gateway filters, so its getting trickier to protect your email [...]

By mcwresearch.com » My Black Tuesday Routine on 03.26.08 10:49 am

RSS feed for comments on this post. TrackBack URI