I think that a security-conscious mail-list system would suppress the
html alternative.
I did an informal survey of the viability of this approach a while back. The
very first thing I found is that the IETF is an outlier, and you shouldn't
assume what you see on IETF lists is in any way the norm.
When dealing with lists in general, do the text only thinkg and you end up with
delightful stuff like messages that say, "Please see the HTML part for the
actual content of this message". Or "This message can only be read by a client
that supports HTML".
Then there are the ones that do a crap job of producing the text from the HTML.
Things like text that is the same as the HTML with all the XML-ish punctuation
removed, but retaining all the tags and scripts. There's even one that produces
text with one character on each line that I especially like.
And then there are the ones which insert the text part but leave it blank.
This is just the subset I've seen on various lists. Once you start considering
the full gamut of email messages you'll find additional things like commercial
messages where the text part says, "Please click on this URL to view the
message on the web".
E-mail used to have lots of executables attached with
the potential to spread virus and the like and, nowadays, most mail
exploders will remove anything like that that could do damage without
being asked - it is taken as read.
In spam, sure. But in legitimate email? Not in my experience.
In recent times, a lot of attention
has been paid to privacy, in the work of the IETF, but sending out the
html to all subscribers I see as a vector for bad actors to breach privacy.
A potential vector. And while lists are important, I'm far more concerned
with the more general case that includes commercial email.
And like it or not, outside the IETF the HTML horse left the barn a long time
back. We can chose to deal with or ignore it, but getting it back in
the barn is not an option.
Ned
