It has been known for some time that email in HTML format can be used to
execute arbitrary programs on the recipient's computer.

     http://www.cert.org/advisories/CA-2000-12.html


http://www.symantec.com/avcenter/sirc/incorrect.mime.header.vulnerability.ht
ml

The recipient does not have to open the email, the program will run if the
message is displayed in a preview window.   List owners who try to protect
their lists with "Language= NOHTML" soon discover that LISTSERV only stops
HTML if the post also has a plain text attachment. It is easy for a hacker
to remove the plain text attachment from their malicious email messages.
Anti-virus programs will only catch malicious posts that are known to their
vendor and list moderation sacrifices the moderator's computer.

The solution is simple - if the list owner specifies that they want no HTML
posts then LISTSERV should not allow HTML posts to the list!


Jim Walker