An official website of the United States government
Here's how you know
A .mil website belongs to an official U.S. Department of Defense organization in the United States.
A lock (lock ) or https:// means you’ve safely connected to the .mil website. Share sensitive information only on official, secure websites.

AETC to disable HTML format in incoming e-mails

  • Published
Beginning in January, all e-mails sent to government accounts will hit the inboxes in a more plain, but much safer, format.

To increase security and safeguard against attacks from potential aggressors, network configurations will be changed at all AETC bases Jan. 15, 2008. One of the most visible differences users will notice is that messages will not hit inboxes in HyperText Markup Language (HTML) format anymore. Instead, all messages will appear in "plain text."

While HTML formatting can make messages more colorful and eye-catching -- allowing use of text formatting like bold, italics, underline, and highlighting -- the format is more vulnerable to exploitation.

Prior to this implementation, an attacker could create an HTML formatted e-mail to get an unsuspecting user to use a hyperlink leading to a malicious website or to open a file or program. That file or program can then allow the attacker access to information on the computer or even allow the attacker to gain full control of the computer from a remote location. Malicious code (such as viruses, spyware, and malware) can be hidden in seemingly harmless e-mail attachments. Once the attachment is opened the malicious code infects the computer -- often without the authorized user even being aware of the infection.

As a by-product, the new security configuration will impact Rich Text formatted email as well, but the upcoming change doesn't mean users won't be able to view an e-mail the way it was originally prepared. HTML and Rich Text formatting will simply be a click of a button away. The change will also not prohibit users from creating e-mails using HTML or Rich Text.

Plain text formatting is safer because the format does not support the editing of hyperlinks and the inclusion of embedded code.

Disabling HTML e-mails, using anti-virus software, and maintaining network and personal firewalls are all part of the Air Force's Defense-in-Depth approach to countering malicious attacks on government computers and networks. "These technical controls work well, but user security awareness is the important part," said Capt Robert Boesen, 561 Network Operations Squadron, Detachment 2 commander. "It only takes one authorized computer user to visit a malicious website or open an infected e-mail attachment to compromise a computer and possibly an entire network."

"Whether it is for political, financial or personal gain, attackers probe our network defenses daily looking for any weaknesses they can exploit," said Lt. Col. Gary Haines, AETC Computer Systems Squadron commander. "A reason HTML e-mails are being disabled is they have rapidly become a favorite weapon of the aggressors to circumvent our defenses," Colonel Haines said. "Regardless of the number of defenses we have to prevent an attack on the network, it is always possible the attackers will find a way around our defenses so we need all computer users to constantly be on guard for suspicious e-mails," the colonel said. "A good rule of thumb is to verify the sender and authenticity of any e-mail prior to taking any action based on the e-mail's content."

Members of the AETC enterprise security branch provide three easy-to-remember tips to recognize suspicious e-mails:

1. If an e-mail looks suspicious, it's suspicious.
2. If an e-mail asks for personal information, it's suspicious.
3. If an e-mail asks you to take any action you normally would not, it's suspicious.