[pmmail-list] My issues with PMMail - Security & HTML
Rich
pmmail-list@blueprintsoftwareworks.com
Thu, 30 May 2002 23:54:46 -0400
I rarely post here, and when I do it's generally ignored. But since PMMail is being worked on
again with updates coming (at least for the win version), I thought I'd give this one more shot
before I'm off to a different mailer...
First off, security. I've brought this up before and I don't understand why it doesn't seem to
bother anyone else? Here's the issue: To hack into this computer I'm typing into right now,
someone else would need four pieces of information.
1: my IP address. That's easily attainable, not secret and nothing to do with PMMail.
2: My network name.
3: my computer name.
4: the password to gain network access. Not easily attainable...
Both 2 & 3 above ARE supplied by PMMail whenever I send out an e-mail. PMMail sends the
HELO command whenever it sends an e-mail. This is normal and just fine. But it uses the
computer name & network name of your system for this! Back when I first reported this, only the
computer name was sent. The very next 'update' and PMMail now sends both the computer
name and network name.
So now anyone who reads one of my e-mails has 3 out of 4 needed pieces of information to
hack into my computer and I'm not thrilled at all. There is no excuse to send this private
information out with every e-mail. Other mail programs commonly use the reply-to or account e-
mail address for the HELO command. That's fine. But NOT the network and computer names!
If anyone goes looking for this info in my e-mails or anyone elses, you may not find it. This
seems to be ISP dependent and most seem to not relay this information. Of course mine does...
Luckily, I could modify the PMMail binary to stop this. But NOT since I reported it! So, no I'm not
running the latest updates... If anyone knows a way to get around this, either by modiifying the
latest version or intercepting the outgoing e-mails, I would surely love to have such
information...
Second is the way PMMail handles HTML. Right off the bat, I will say that I prefer NO handling
of HTML. I don't see why any interpreting is done at all. Just display the text and be done with
it. I constantly have to open the mail (I generally use the preview window) and then view full
message from the menu to see the HTML coding. If the text was just displayed (as in view full) I
wouldn't have to do anything, and I wouldn't have to put up with the garbage HTML rendered
mails (mostly spam anyway).
Now for the spam and HTML. I am one of those people who always reports spam to the
originating ISP's. For a while I was just Forwarding the e-mails after using 'view full' to get the
web or return e-mail addresses. Then I wondered, and sent one of these forwards to myself.
Interesting. The horrible colors, fonts and formatting were retained, but not the imbedded links!
So the ISP's I was sending these e-mails to had no way to see what web page was being
advertised... Now I have to do a view full, then copy & paste the entire message to retain the
links when I report to ISP's. This would be considered a bug in my book I suppose? So I
thought it was worth mentioning. If I were to forward an HTML e-mail to a friend that conatined
links, it would be useless...
One minor issue with these HTML spams. They are now commonly using odd color
combinations, easpecially the background color. The problem here is when the e-amil is
forwarded, I can't change the background color and very often the text will not be readable. In
these cases, I have to create a new mail and copy all the info from the view-full window of the
spam. There should be a way to change the background color. And there should be NO
background color when HTML is turned off!
This is all on win PMMail 2K ver 2.20.2360, the last version I can run until the above problem is
fixed! Hopefully soon, I will be going back to my OS/2 version after some machine work. But I
do actively use both for now anyway...
Rich...
******************************************************************************
Practice Random Acts of Kindness and Senseless...Umm...Uhh....
Oh - Heck...I never could remember all that "nice" stuff.
-----------------------------{rich@bearlycomputing.com}------------------------------
******************************************************************************
- pmmail-list - The PMMail Dicussion List ---------------------------
To POST to the list, send your message to:
pmmail-list@blueprintsoftwareworks.com
To UNSUBSCRIBE, send a message to mdaemon@bmtmicro.com with the first
line of the message body being...
UNSUBSCRIBE pmmail-list@blueprintsoftwareworks.com
---------------------------------------------------------------------