Re: Paypal without HTML email

>> You have the wrong end of the stick. The problem isn't with what
>> I'm receiving, it's with what PayPal are sending. Any message that
>> begins with <html><html> isn't off to a good start and it's downhill
>> all the way from there. I could just paste the message into a
>> browser window and it would render just fine - but I'd have no idea
>> what was behind the links in the message. It's an *advantage* of
>> my present mailer that it renders it to look like the garbage it is.
> Well the reason I suggested Google mail is because it reads HTML without
> problems. If your email client is having problems with rendering HTML and
> CSS it means it's out of date and probably needs to be upgraded or replaced.

Bollocks. The problem is *getting HTML mail in the first place*,
the last thing I want is to be able to render it.


> Upgrading is usually a good idea for security reasons in any case.

In this case, a mail client that renders the HTML is an *increased*
security risk - the typical scenario is that there is an embedded
URL in the mail with the real link behind it not being what you
think it is. This has been a common tactic for countless phishing
attacks. If all you see is the raw HTML source you will see where
you're being invited to go (insofar as you can see anything at all
in the garrulous rubbish you usually get).

I suggest reading the RISKS Digest for a while to get some of the
important ideas in this area.


> Actually it's a complete myth that plain text is somehow more secure than
> HTML or graphics. The problem with plain text is it is easy to monitor for
> keywords and can be monitored by ISPs, the security services and even
> criminals.

HTML is structured text. Any keywords present in a plain ASCII message
will also be there *unaltered* in an HTML-marked-up version of it. It's
just as easy for the NSA to find the relevant keywords in sansSerif{font-family:
verdana,arial,helvetica,sans-serif; font-size: 16px;color: #000000;}<B>George
Bush must die!</B> as in *George Bush must die!*.

The difference is that the NSA is doing its text searching by computer,
while a user trying to distinguish a valid PayPal message from a phishing
attack is just using their eyes and brain. Which have nothing to go on
with rendered HTML (fake and valid look the same) and get tired easily when
subjected to raw HTML source as badly written as PayPal's. The simplest
policy is just to assume that all HTML email is suspect, bin the lot unread
and never act on it.


> plain text can't be formatted properly,

There's nothing wrong with the formatting of your postings here, and
they're in plain ASCII. There's no need for PayPal to use any more
formatting in its registration process than you've done in discussing
it. Other services have no problem with this.

============== j-c ====== @ ====== purr . demon . co . uk ==============
Jack Campin: 11 Third St, Newtongrange EH22 4PU, Scotland | tel 0131 660 4760
<http://www.purr.demon.co.uk/jack/> for CD-ROMs and free | fax 0870 0554 975
stuff: Scottish music, food intolerance, & Mac logic fonts | mob 07800 739 557
.

Relevant Pages