Does plain text mode offer complete protection against e-mail malware?

Before HTML and Javascript were even invented, attackers were using ANSI escape codes in email bombs.

Silly: such as turning your terminal into a blinking rainbow of text

Annoying: gunking up the terminal so badly it couldn't be used without a reset

Embarrassing: nobody wants to be that guy in the lab whose VT-100 won't shut up

I don't know that code execution was ever a product, but don't underestimate the damage somebody with a termcap man page can do.

No not complete protection, it's not enough on its own but it does reduce the number of effective attacks a little.

Take the text-only e-mail reader Mutt as one example. There have been several vulnerabilities which have been documented as CVE's that affect it.

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-2683

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2007-1558

http://cve.mitre.org/cgi-bin/cvename.cgi?name=CVE-2006-3242

Given the processing is much simpler than trying to do everything required for HTML parsing it is probably harder to attack than an HTML-based client but vulnerabilities still happen.

That said, I would also point out that fewer attackers are targeting Mutt because it has a minority share in the global e-mail client ecosystem. It's possible that if it were more popular more security researchers and attackers would target it and more vulnerabilities may be discovered.

In the case of using an HTML-based client in text-only mode, there is a possibility that you are reducing the attack surface by using text-only mode but it really depends on the specific attack vector. This won't give you 100% protection but in theory, you are reducing your attack surface some.

Finally, almost all of the exploits targeting HTML-based clients are likely to safely be opened in a text-only browser like Mutt but you can never assume this will be 100%. Nothing is 100% secure.