I would rather cut my own heart out with a teaspoon than use Leopard Mail’s HTML stationery.
But I know not everyone shares my view.
If you are a lover of this kind of thing, Josh Pigford at The Apple Blog has a long and detailed post 
on how to edit or create your own stationery for use with Leopard Mail.
He explains where the HTML files are stored within Mail’s package and how to get at them, as well as what files are required if you are working up a new template from scratch.
He even provides some “walkthrough” files to act as a pattern for your own creations.
Why would you rather cut your own heart out with a spoon. Is It bad HTML. Do you hate the designs? I’d really like to know.
There is a group of people that despise HTML messages of any kind. They are slow to render and usually just contain fluff that is really not necessary.
That said, I don’t mind them so much so long as they are safe. I can’t say that Apple’s is safe; especially since it sounds like it’s fairly easy to modify a template to do what ever you want.
In the past and probably even now, HTML messages can have evil code in them to do just about anything to a Windows based system. Probably even a Mac system if you know what you are doing. The act of rendering the message will cause the evil code to execute and it’s all over.
All that said, I welcome these templates for special occasions like birthdays, graduations, etc…
I’ll probably surf over to the site linked here and see what there is to do to create a custom template of my own.
—
It’s nice to see HawkWings back up and posting tips again. It’s been a while and I understand why. It’s just nice to see you back again. Thanks!
It’s not quite true to say, as the writer does,
“… the only requiremen[t] for [writing] your own stationery is that you know … HTML.”
Mail will still accept content written in the system RTF editor TextEdit and convert it into HTML on the fly via the Services Menu. So it *is* possible even for those who *don’t* know X/HTML to write templates. They just need to use TextEdit.
So one could keep a template handy as an RTF document, open it in TextEdit, edit it, highlight the content, then select TextEdit > Services > Mail > Send Selection when one wanted to send.
One could also make a “Templates” folder in Mail. Any template could be written either by doing as above or by doing as follows:
1. write your template in HTML in an text editor or HTML editor
2. open it in Safari
3. press Command + I
In either case, it could then be got in a “Templates” folder by doing as follows:
Save the new message as a draft.
From “Drafts” the template can be dragged-and-dropped to “Templates”.
Messages can’t be edited in a normal mail-folder, but a template could be edited — for a current message before sending — by copying it back to “Drafts”. (Highlight message and choose Message > Copy To > Drafts.)
That said, I doubt I shall be writing any templates myself by any method.
Thanks Dave – I guess the best defense is to really trust the person or company sending the email. I’ve heard it is possible and a common practice when companies email newsletters to ‘double-up’ the HTML emails with a plain text version. Do you know if this is possible using mail 3.0?
I’m no expert of Mail.app, but I don’t believe it has the ability to send both. If, when you send a message via Mail.app, you don’t change any fonts or paste any text that might be in rich text format, Mail.app will send the message as plain text. Otherwise it sends it as rich text or HTML text.
Other mail clients like Thunderbird (or what ever it’s called these days) most likely do allow you to send messages in both formats.
Well, Tiger’s Mail.app always sends a plain text alternative with its HTML mails (it sends rich text e-mails as HTML, not rich text) so I expect the Mail.app in Leopard will follow suit.
I must disagree with the notion that an HTML e-mail can do anything bad, or at least, anything that a webpage couldn’t do. Webkit and javascript are always kept quite secure, security holes do appear (and are patched by Apple) but exploits are incredibly rare. It would be easier for someone to hack you directly than to try and use javascript to gain write access to local files.
Does anyone have any example of an HTML e-mail being a security problem, on OS X ?
The only ‘bad’ thing that an HTML e-mail could do (and they often do) is reference an external picture or file. If loaded, this means the sender knows that you’ve opened and read the e-mail (a great tool for spammers to detect live addresses, obviously) so I just make sure that Mail.app doesn’t load external images without my permission – problem solved (unless I stupidly click the ‘load images’ button on a spam mail).
I’m not saying that Webkit has holes, but to say that it’s completely secure is just a really bad idea. Just look at the hack for iPhones to allow jailbreaking from the web with a bug in TIFF rendering or something to do with TIFF’s anyway. Plus, Javascript isn’t even an Apple property, so they are at the mercy of who ever maintains it.
Also, we are not talking about Mac users sending out bad HTML to take over systems Mac systems. We are talking about people who take over Windows systems via HTML. If you have friends that use Windows and email, they should not have HTML turned on in their email client. If they do, they are just asking for trouble.
Don’t make HTML email out to be only an OS X thing. Every OS can display HTML email.
Also, just because it hasn’t happened yet doesn’t mean it will never happen. As Mac’s become more popular and the marketshare starts growing, hackers are going to see Mac’s as a viable platform for their hacks. When that happens, I really hope Apple is ready for them. After what I have seen with the iPhone and Safari on the iPhone, I’m pretty certain that they are not ready currenlty.
Come on, Dave, I didn’t say either of those things. “Webkit is completely secure” – no, and “HTML e-mail is an OSX thing” – no, not even close to it. Please don’t put words in my mouth and then decry me for them. I’m trying to contribute, in particular, I’m trying to point out valid reasons why the (commonly held) paranoia about HTML e-mail insecurity is excessive.
Webkit is very (not completely) secure, and so is javascript. If it were not, then everyone would be using it to infect people because nearly everyone who browses the web has JS turned on. Also, Webkit’s Javascript is indeed Apple property and maintained by them.
Pointing out a security flaw with a new piece of software like the iPhone doesn’t really say a lot about matured products. And the iPhone exploit you refer to was not part of HTML processing code anyway, but (as you pointed out) graphic rendering code.
I don’t know why you’re now saying this is just about Windows users – you were the one who mentioned taking over Mac systems as well! (your first comment above) Also, this site is about Mail.app on OS X, so it seems pertinent to address that aspect as well as the Windows one.
Lastly, the ’security through obscurity’ myth has been disproved many times. If nothing else, then consider that if that were true, then Macs would be affected by a percentage of viruses commensurate with their market share – around 8%. They aren’t. Depending on how you do the rounding, Macs are affected by either 1% or 0% of malware. It is OS X (mostly the unix underpinnings) that provides the security, not obscurity.
OS X users do need to be aware of security issues, I’ve never said otherwise, but they would be best served blocking known potential attack vectors rather than unlikely ones.
Hi guys – I’ve been listening to your debate and you both sound like you know a fair bit about this but in the end I have to agree with VanillaBaron- there is definitely a paranoia about HTML e-mail insecurity that is excessive. To say Windows users should should not have HTML turned on in their email client is just silly. Not everyone wishes to stay with plain text email – this is the modern world and we (meaning a lot of people) want our nice looking newsletters and stationary. Thats the way people are – they want things to look better than they did a few years ago. Thats how thing move forward. I will use HTML email. I will receive HTML and I’ll be careful on a *Mac or a PC* – I’ll only receive those emails from those companies or individuals I trust.
Some email clients have come a long way and I personally, through a little bit of care do not get any spam email anymore. If ever I need to check a dodgy email it would stick out like a sore thumb in my inbox. I will also send HTML newsletters (with a plain text version) – I’m part of a small non-profit charity and people who know about us to some extend know they can trust us – they will know there will be no funny business coming their way. No problem. I’m glad I ask the first question here and listening to all said I have to conclude – I like HTML emails and I look forward to the ones I’ve chosen to receive in my inbox. So much nicer. If we aren’t bothered about appearances then why the heck are we all loving what CSS has done for webpages. I also like Apple’s new Templates, I will uses them and I will *sensibly* edit them.
Look, all I meant to say in my first comment up there is that HTML mail has a stigma assigned to it that many old-timers (myself included as an old-timer anyway) feel it’s better to stay with plain text rather than take any chances with HTML messages.
I know nothing about Webkit other than it’s software and it’s written by humans. So there is always a possibility of a potential hole.
I wasn’t aware that Apple maintained a version of JS for Webkit like they maintain a JVM for Java. It makes sense since they seem to like to control all aspects of their OS.
If I came across as demeaning, I didn’t mean to. I just want to stress that there is always a possibility of being hacked. No matter what OS you use.
As for Safari and the iPhone. I was given the impression that the Safari on the iPhone and the latest version of Safari for both Mac and Windows are pretty much the same. If not, I’m sorry for bringing it up, but if it is, it’s a pretty big scary hole.
As for the Security through Obscurity “myth”. I have read an equal number of arguments on both sides. I have yet to hear a compelling enough argument against it to be swayed to that side. I have read many posts from valued Mac writers that have used the Security through Obscurity statement, plus just the logic of it, that it currently stands for me. The argument doesn’t mean that there are tons of holes in OS X just waiting to be exploited. It simply means that there are just not enough machines out there that are being “used by the same kinds of folks” that have Windows systems that are being used by hackers and spammers to do their dirty work. These are systems that don’t have either firewall software or a router between the OS and the street.
Kelsang Norbu: I agree that there is paranoia with HTML email, but I’m not so sure how excessive it is. Mind you, it’s been a few years since email was a delivery method for viruses, worms and trojan code. Still, if I were still using Windows for my email, I would be very careful with it. If for no other reason than to alert spammers that they have a valid email address due to image rendering. It’s really great that pretty much all email clients take care of not rendering images until the user says it’s OK. Even Gmail does this.
SPAM, man I wish I was like John Dvorak and could claim that “I get no SPAM”. I get tons. Just posting an email address on a blog like this has a good chance of that address being cought by a spam bot. However, I still post email addresses. Most spam filters seem pretty good at catching them and getting rid of them for me.
I also prefer HTML mail over plain text. It’s easier to read and many times formatter very well.
I just wanted to try to explain why there are people that don’t like HTML mail. I can’t speak for the author of this blog, but I can tell you I have heard a lot of computer pundits and Apple pundits stating that they are not very happy with Apple’s decision to put templates in Mail.app.
Hi Dave – sorry if things got personal there, I felt the temperature rising a bit and thats never nice. I think your last post sums things up very well and your right of course, care does need to be taken and getting spammed left, right and centre is not a funny thing, so thanks for your comments.
Yes, and for my part I am sorry too if I came across as defensive. I’ve had the HTML e-mail argument a few times and whilst the debate as a whole certainly remains open, there are a few points or arguments (for both sides) that are unarguable by dint of fact, that I think people (on both sides) still refuse to accept.
I think that, on the one hand, it has to be accepted that HTML and JavaScript (in any form) has only a limited means to ever cause trouble, and security is a prime consideration of those writing HTML and especially JavaScript interpreters. On the other hand, it has to be accepted that limited does not mean none, and we are in any case at the mercy (as Dave rightly points out) of software written by fallible humans.
In a lot of respects, this issue tends to get me worked up because I don’t see the debate progressing, it frequently becomes mired in arguing points that are either unnecessary or decided already and we never get to debating valid aspects of the argument. That’s not directed at anyone here, and I am as guilty of it as anyone else.
And an impassioned argument for HTML e-mail will always seem to come across as something like “it’s all perfectly 100% fine”, when of course it isn’t – the day that one thinks that their security is perfect is the day their defences will be breached.
To get to some of the points raised, the iPhone’s Safari is a modified version of the Macs, but pretty close at the source level. But the iPhone and Mac have very different processors and OSes meaning that not only is the object code substantially different, but the opportunity for (and handling of) things like buffer overflows are completely different.
I haven’t read any *arguments* for security through obscurity, just lots of people saying it without justifying it – I would be interested to, though, so I will search for them. I’ve seen a few good reasons against, another one is the fact that unix is widely deployed in high-value targets and yet remains (like OSX) very secure. It suggests to me that Window’s insecurity rather than popularity is what makes it the popular target.
I guess I just wished that HTML e-mail were seen – at the worst – as being as insecure as any other e-mail, not moreso, so it could take a place as a valid means of communication, because I think that e-mails of any type are a useful vector and the figures on viral infections certainly support that.
I wish I could remember all the places I saw folks mention the security through obscurity argument. I’m sure I have seen both sides on SlashDot, but I can’t remember who or where. I suppose I really should put del.icio.us to use when I see those posts.
To summarize what I have seen, basically, virus writers are writing viruses now for one goal. A business. They want to have control over as many computers as they can as “easily” as possible so that they can use them for spam and dDOS attacks. It’s pretty trivial to use simple scripts to take over millions of Windows systems because the folks who are being taken over have no clue how to use a computer. That actually comes from experience. When I was out of work a few years back, I started up a small business similar to GeekSquad to help people get their computers back up and running as good as new. I found many simple viruses on their systems and always suggested getting a router to protect their computers from future attacks.
Anyway. Once virus writers have all their zombie computers, they sell time on them to send spam. There are actually viruses out there that have Anti-Virus code in them to remove competitive viruses so that only their virus is on the system. Kind of like a real world CoreWars (look up CoreWars on Wikipedia for more info on that game). I’m not kidding about the virus with anti-virus code in it, by the way.
The point here is that there are millions and millions of Windows boxes out there that are open for hackers to get to. There are quite a few Macs out there too, but they are not as easy to access as the windows boxes. Not because of the OS, although I’m sure OS X is way more secure than Windows, but I have a strong feeling that Mac users have a better knowledge of computers in general. Sure, I have my parents on a Mac Mini so that their computer doesn’t get attacked like their older Windows box did. I was cleaning crap off of that Windows box ever other week. I have yet to even worry about the Mac.
Now, as I just said. Part of the security comes from the OS. Heck, I would probably venture to guess that most of it comes from the OS. Having to enter a password to install a program is quite good. If my parents knew the admin password to their Mac however, I suspect that I would be dealing with problems on that box too. OS X makes it easier to install programs on a standard user account without having to be an admin. Windows has always had a problem with that and I suspect they always will.
Anyway, that was way more than I meant to post on the subject. Especially since this is a site devoted to email and Mac’s, not security. But security is a part of using email since some viruses do get delivered through email. That’s what I have heard arguing for the side of security through obscurity. It makes sense to me at least.
Well, I was going to post more interminable arguments against obscurity (I’ve got plenty more if you’re desperate to hear them!), but I think, since I’m more than willing to accept that popularity is at least part of the attractiveness of Windows, and since you’ve stated that OS design is at least partly responsible, our argument about security-through-obscurity would only ever boil down to which we believe to be the prime motivator.
We’d be unlikely to ever agree fully with each other, and there’s no reason we should since that question has no authoritative answer – sadly, no-one has done a statistically-significant poll of malware authors regarding their thought process prior to writing a virus.
Heh, we’ve both said way more than we initially intended to, but I think we’ve both made valid points about security, we’ve added to a very worthwhile debate, so it certainly hasn’t been a bad thing.
Unless Tim is sitting there thinking, “But this post was just to link to a stationery-editing article! When did it become Macs versus Windows?!”
HTML probably does not belong in e-mail, but the reasons have more to do with the nature of the medium than with security.
A couple of comments for Dave:
* Off the top of my head, I can’t think of any way for HTML e-mail to do anything malicious that a webpage couldn’t also do.
* You wrote “I wasn’t aware that Apple maintained a version of JS for Webkit like they maintain a JVM for Java. It makes sense since they seem to like to control all aspects of their OS.” However, this isn’t really a “control” issue. Rather, the nature of JavaScript is such that the only — or at least the easiest — way to implement it in a Web browser is to write an interpreter from scratch. So Microsoft wrote their own JS interpreter for IE, the Mozilla crowd wrote their own for Mozilla, and so on. Just like anyone writing a Web browser has to write an HTML interpreter, they have to write a JS interpreter.
Thanks for the links on template creation for Mail.app! I’ll have to try it.
Here are a couple observations on the HTML vs. plain text debate:
Risk: indeed it has been a few years since a significant email worm has caused havoc. And when you consider that about 60 BILLION emails are sent every DAY (about 2 TRILLION a year), it speaks to a certain robustness of email security.
I also don’t think that a clear pronouncement can be made for or against HTML in email. From my perspective, if the graphics and layout of HTML contributes meaningfully to the message, by all means, use HTML. OTOH, if the HTML is just being used to create junky backgrounds for a message that really only needs text (e.g., “tomorrow’s meeting is at 4:00″) then skip it and just send plain text. I don’t think it’s an all-or-nothing issue.
And c’mon guys, we’re not exactly using 300 baud modems and floppy disks anymore. Bandwidth is plentiful and storage is cheap. I mention that in case anyone wants to argue that HTML emails are so big. (In that case, lets forget the web altogether and go back to dial-up BBSes…hyeah, that was better…)
I am beginner and I am more than willing use my own stationery or templates or email designs I don’t know the right expression…
or by customizing the existing apple one’s or by creating them to have as my own headletter (logo on top, text with or without images on the body and lines as adress,phone,fax,email and so on on footer) .
what I know is to do my own emails with my imac having leopard 10.5.1latest mail software installed on the machine and use my photoshop, flash and dreamweaver I have on my old imac G4 to do the job and thentransfert it to my newimac 24″ with mail inside leopard 10.5.1 !!
so as really not expert in html better with flash could you do a diagram or synoptic for peoples like me they understand better your explanations with example :
Where to go on the machine to find it ????
what iss the arborescence ????
how to drawn or modify ???
What to do and to change ???
which softwares are need ????
and so on….
drawings are better than thousands words !!
and much easier to understand….
I leave you my email address which is crisware@free.fr to have your answer with pics explanation for better understanding and to do my first designs for custom mails which will be in accordance with my documents and my flash website, for backgrounds, musics,videos and so on I have drawn and designed on it ..
Thanks a lot your help and support….
With friendly,
Chris
Crisware@free.fr
Not sure about sending html e-mails, but Mail’s included templates have been great for creating birthday cards and other nifty text with photos. :)