>As it turns out, 81% of the emails containing HTML files with JavaScript are malicious, while only 19% are legitimate.... it’s clear that straight-out blocking HTML attachments with JavaScript is not an option for most organizations, as it would impact important business communication.
Oh of course, how dare we suggest companies stop doing sketchy things in their ~spam~ ~marketing~ notification emails that are explicitly trying to get you to click on links full of gobbledygook, training normal users that an ugly and unclear link is an expected form of communication! Nah, we could never tell businesses that sending a link that asks me to click a sketchy looking button to log into my bank account is something that should be discouraged because it makes users used to clicking on phishing emails.
Instead, we will just pretend to do stuff while half the company fails the bi-yearly phishing screening, including most of our VPs
> it’s clear that straight-out blocking HTML attachments with JavaScript is not an option for most organizations, as it would impact important business communication.
I suppose it depends on what your job is. My habit of decades for personal email is to not allow HTML at all. I do the same in the office. Sometimes, this means I'm reading the HTML source directly to get the information, which is inconvenient, but it's worth it to me.
Fortunately, most important emails I get contain no HTML at all, or use only trivial HTML that doesn't hinder reading the source.
I do wish people wouldn't use HTML in emails at all (it rarely adds anything useful to the email), but that's not the world I live in.
Honestly, while it is kinda sad it's the reality: it has great marketing potential (although it's a concept I inherently despise, it's giving me a job atm).
I would welcome marketing emails using HTML wholeheartedly if no actual people used it, because it would make automatically detecting and deleting the marketing emails much easier.
My email disallows images and javascript/html. I have yet to suffer for this. If anything it’s like the Adblock of email. And I’m not one of those “block all javascript on the Web” people.
Same (including that I am not one of those people who block JavaScript on the web; hell: I don't even use an ad blocker), though a few times a year I do run into a service that both explicitly provides a text/plain segment (so the mechanism that would just try to give me the text from the html segment isn't used) that is useless (missing links, doesn't have a text form of some code, etc.) and I have to open the code of the email to find the link; this is easily, however, solved in the email client and does not require activating either images or javascript/html.
13 comments
[ 1.9 ms ] story [ 26.2 ms ] threadOh of course, how dare we suggest companies stop doing sketchy things in their ~spam~ ~marketing~ notification emails that are explicitly trying to get you to click on links full of gobbledygook, training normal users that an ugly and unclear link is an expected form of communication! Nah, we could never tell businesses that sending a link that asks me to click a sketchy looking button to log into my bank account is something that should be discouraged because it makes users used to clicking on phishing emails.
Instead, we will just pretend to do stuff while half the company fails the bi-yearly phishing screening, including most of our VPs
like even a 5% false negative rate would be too high
In-line HTML would be over 90% of email these days and it’s throughly neutered - no JavaScript at all and only a subset of HTML.
I suppose it depends on what your job is. My habit of decades for personal email is to not allow HTML at all. I do the same in the office. Sometimes, this means I'm reading the HTML source directly to get the information, which is inconvenient, but it's worth it to me.
Fortunately, most important emails I get contain no HTML at all, or use only trivial HTML that doesn't hinder reading the source.
I do wish people wouldn't use HTML in emails at all (it rarely adds anything useful to the email), but that's not the world I live in.