A friend pointed out that a HTML email my company sent looked completely fucked in Hotmail. After painfully navigating Hotmail’s time-traveling account reactivation process, I found these layout problems was due to a combination of things:

1. Hotmail strips out the <style> tag that we put in our email.

2. Hotmail does not strip out the class=”foo” attributes that we put on HTML tags in the email.

3. The class names that we’re using collide with class names used by Hotmail – at least partly because – wait for it – they’re using tables to lay out their entire site.

This means that parts of the email we send end up looking – and behaving – like Hotmail GUI elements.

This is easy to fix – I’ll just inline the style and stop using classes (unfortunately tripling the size of the email in the process).

. . . but . . .

this means that an attacker could trivially send out an email with malicious links in it that were guaranteed to look like Hotmail UI elements. Have these people even *heard* of phishing? Dumb.