[Esa-l] Deny ALL HTML

Brett Glass brett at lariat.org
Sat Apr 21 19:35:30 PDT 2001


You don't necessarily need to use the sanitizer or Procmail to
do this. You can match tags and reject the message via the
regex matching in Sendmail itself. See my paper at


for information on how to do this.

Be warned that many HTML messages aren't labeled
as such. This is because AOL -- the target of may spammers
and malicious exploits -- doesn't require an HTML message
to be a MIME attachment. It unconditionally parses and
obeys HTML tags included in an ordinary message. So do
some MUAs.


At 10:14 AM 4/21/2001, Jason Jordan wrote:
>Ok, call me paranoid - but I've had enough.
>I can't see any reason to put myself and my team at risk so I've
>discussed with them the option of simply bouncing all email containing
>HTML of any description.
>We don't want to strip it - we just don't wish to accept it - and we'd
>like to notify the sender that we have refused the email - and why.
>There is too much risk with all the active content these days.  I'm not
>prepared to allow for anything we may accidently let slip through.
>I want plain text!
>Any ideas on how to do this?
>I think procmail is the answer but am I reinventing the wheel?  Is this
>something John's procmail script can do?
>Cheers, Jas
>E-mail Security Announce list mailing list
>E-mail Security Announce list at spconnect.com

More information about the esd-l mailing list