Mixed messages from the IT department regarding email safety


TipTalk wrote some time ago about the urban legend of the Reading Pane. In the conclusion, the article mentions the "read all standard mail in plain text" setting. And that reminded me of a story.

Some time ago, the IT department sent out a message to all users on the subject of email safety. The gist of the message was that for increased safety, everybody should go to that options dialog and check the box to set Outlook to read email in plain text mode.

It's not clear whether they expected anybody to take their message seriously, though: They sent the message in HTML format.

Comments (20)
  1. Mike says:

    but was it also sent with a plain text alternative version? as is done by default with all email clients i’ve seen that send out HTML

    of course the best idea would be to send out a HTML version with the security warning, with a plain text version consisting of "your client is already configured correctly"

  2. nathan_works says:

    I’ve found that 99.5% of emails sent in HTML are fully readable in plain-text. You just don’t see their fancy signature line, or the spinny whirry graphics they included. The people sending spinny whirry types can usually safely be ignored anyway.

  3. Indeed, in my experience, some emails sent in HTML are MORE readable in plaintext (the tricky little white-on-white text obfuscation tricks people do in HTML disappear.)

    If there’s a point to this blog post, I’m missing it.

  4. andy says:

    I wonder how the people working in Outlook and/or Windows Live Mail that came up with this feature felt to hear that their hard work had to be disabled in their own company

  5. Alexandre Grigoriev says:

    Viewing messages in plaintext made sense when the client was downloading pictures and executing scripts by default. Current Outlook Express will only download pictures when told so.

  6. Jim Lyon says:

    I think it was a sad day when html email became the default in Outlook and Outlook Express. Before that, 90+% of all html email was spam, and it was easy to filter. Changing the defaults killed that strategy.

  7. LionsPhil says:

    "I wonder how the people working in Outlook and/or Windows Live Mail that came up with this feature felt to hear that their hard work had to be disabled in their own company"

    With any luck, those responsible for HTML mail have long since realised their mistake, and feel mostly repentant.

    As for the authors of the likes of IncrediMail, however…

  8. Whatever says:

    TipTalk says… "Prior to Outlook 2003, previewing an HTML email in the Reading Pane would [retrieve all images]" and "In Outlook 2007, images and other linked content in HTML messages are blocked by default", which leaves me with the question, what happens in Outlook 2003 (which is what is still installed on my work PC)?

  9. SI says:

    Outlook 2003 doesn’t get the images. (At least with all updates, dont know how a plain install does it)

  10. no one of consequence says:

    So, it took the ‘softies until Outlook 2007 to figure out that automatic downloading / execution of untrusted third-party files is a bad idea? And versions prior to 2007 were, at least in principle, vulnerable to all sorts of HTML attacks? How is this an urban legend?

  11. Worf says:

    I spent a good hour finding the plaintext option, while my outgoing email default to plain text by default.

    The reason? One of my cow-orkers insisted on showing his eningeering prowess by having a grid as the background – in bright light blue. Besides distracting, it made the text hard to read since these bright blue lines would sear into the eye and drown out the lighter-weight text.

    Alas, he never read replies to disable that damn background, so I took it into my hands to force plain text until he left. As a side bonus, replies ended up with his text munged while mine stayed nicely-formatted plain text.

    Of course, since I send plain text, the mandatory corporate signature gets munged. But since I value community help (which involves sending plain text messages) over the needs of corporate branding (seeking help in the right places vs. pissing them off), it’s better for all involved. My emails never make it unadulterated to potential customers anyways – only to current customers

  12. HagenP says:

    Mini-story one:

    Company_A (Notes Mail) admin newsletter:

    "Mail database size needs to be kept below 100 MB. Please move all very large and old mails to a backup mail database on your file server."

    Notes: (1) The mail was not readable by an old mail client – it came with its own template. (2) One of these mails amounted to more than 1 MB (becaus eof the template). (3) The plaintext version was ca. 80kB. The mail was sent to ca. 5000 users. (4) The suggestion means that instead of archiving your mail ona Notes server, you archive it via a network-stored "local" mail database – multiplying th enetwork-load for access to a single message, especially when searching.

    Mini-story as comment to Mike

    ("of course the best idea would be to send out a HTML version with the security warning, with a plain text version consisting of "your client is already configured correctly"")

    CompanyB sent out a newsletter in HTML and text format.

    The HTML version was OK, but the text version was an old one from more than a year ago… and it was kept the same for a number of months.

  13. Kim Sullivan says:

    I’m still using Outlook 2k, it looks like I’m out of luck…

  14. Alexandre Grigoriev says:

    Outlook 2003 got it half-right. It still *insists* on downloading the images even if you only want to forward the message. If you refuse to download, sucks for you.

  15. Chris says:

    Completely unrelated to the post, but is there any reason that the article page prompts me for a username + password after leaving it open for a while?

  16. Aardvark says:

    The only virus I ever was infected with came by way of the preview pane. (right-click to delete the message selected it, previewed, infected).

    However, I bet that was more then 10 years ago…

  17. David Brooks says:

    Would be the same IT department that told us all to set the default verb for scripts to Edit (instead of Open), while building lots of important cmdline administration tools that just used script filenames as commands?

    I wondered why I kept seeing Notepad pop up when I was running an IT-supplied command. I then wondered why nobody else seemed to have the same problem.

  18. Matt Green says:

    HTML should never have been allowed in email in the first place. What does it give us? Oh, right: emails where the sender forced the font to be MS Comic Sans all the way through. Somewhere along the line we decided the content of our emails wasn’t enough, we needed to be able to style them as well! Normally, I wouldn’t care. But when it can be exploited as a potential malware vector, well, then I propose we cannot be too conservative. We still have the IE engine rendering the content. It still strikes me as an unnecessarily large attack surface for a small benefit.

    Of course, it could never be taken away from people, because then their animated smileys wouldn’t work.

  19. CmraLvr2 says:

    The comments read like most people, as is typical, missed the point.  It’s an amusing story.  HAHA

  20. Olivier says:

    Personally, I think HTML e-mails are great, but they should be limited (in the editor AND in the previous pane) to basic HTML like bold, italic, underline, color, tables and images, nothing else. All the others tags should be removed/disabled.

Comments are closed.