Imap email client security

Krik

I started playing around with imap, and after figuring out the basics my thoughts turn to security. I tried searching for information on this but the searches keep turning up information on SSL and encrypting emails, which isn't what I want.

The most obvious concern is malicious javascript, so for HTML emails I am sure I would want to strip off all "script" tags as well as any event attributes (onclick, onmouseover, ect). Probably, it is also a good idea to change any "(", ")", "{" or "}" to their character codes as javascript could be inserted in other places. I see most of the big email providers (Google, Yahoo, AOL, Live, ect) remove everything outside the "body" tag, which seems excessive. Of course on that note maybe the "meta" tags should also be removed, no reason to keep them in an email. They also remove a lot of inline CSS, I can't see why, but I thought maybe there's a security reason so I thought I would mention it.

After that I don't know enough about the underlying mechanics of email to determine if I need to take other steps. It seems an email server would reject an improperly formatted email, but I am not really sure about that so I guess I need to know if I can trust the header info to not contain malicious code. Then outside of what I mentioned above is there any other risks with malicious code in the body of an email.

I am sure most have seen the phishing emails that alert you to some issue and ask you to download a file to resolve the matter. Of course any half informed person knows those files have viruses. So it is obviously the intent of some email is to infect a users PC. And I would guess it isn't too much of a stretch to conclude they would like to infect any web bases email client servers as well.
As such, I figure I better take every precaution when working with imap.

If anyone knows of a good article or link on the topic please feel free to share.

dalecosp

I don't have any bookmarks to share, but I'd think a look at the source of some packages like SquirrelMail, RoundCube, etc., might shed some light. At least you'd know what some other projects are doing.

(Of course, that kind of begs the question ... what not just use a OOB solution like Squirrel or RoundCube, etc. 😉 )

Krik

dalecosp;11002959 wrote:
(Of course, that kind of begs the question ... what not just use a OOB solution like Squirrel or RoundCube, etc. 😉 )

I figured that question would come up. First, to have a prayer of chance at figuring out someone else's code I need to know how it works top to bottom, myself. And having not ever used "imap" before, I really should learn how it works. Second, I thoroughly do not like using third party anything. I regularly get emergency calls to fix some third party package that has suddenly stopped working and there isn't an update for it. I almost feel bad for the people who use them and have to explain to a client why they can't, quickly, fix a piece of code that no longer works. I don't want to put myself in that position so everything I do I write myself. Third, to make those work inside of an existing web app or framework would be a lot of work, likely more than writing the email client myself. Fourth, I like the challenge of learning something new. Fifth, some of them are not very user friendly.

As to the first part of your answer, I have looked at some of them but just copying and pasting is not a good way to learn anything. Further their code is enormous it is very easy to overlook something. Also their code is designed for tons of scenarios and much of it may not be needed for my situation. Why bog down my code with useless code segments. Really I am more looking for information on what I need to be aware of, once I am aware of the problem finding a solution is the easy part.