Closed Bug 1553204 Opened 6 years ago Closed 5 years ago

phishing filter always warns about emails from environmental organizations

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED WORKSFORME

People

(Reporter: estellnb, Unassigned)

References

Details

Attachments

(7 files)

MUTTER ERDE-Themenschwerpunkt 2019 "Verwenden statt verschwenden".eml
114.15 KB, message/rfc822
Details
TB_60.png
820.17 KB, image/png
Details
TB_68.png
878.19 KB, image/png
Details
Re: Fwd: Menschenrechte und Erhaltung unserer Lebensgrundlagen haben Vorrang!.eml
13.17 KB, message/rfc822
Details
another email from konzern-initiative.ch that was wrongly detected as phishing
35.44 KB, message/rfc822
Details
email from info@konzern-initiative.ch
36.08 KB, message/rfc822
Details
Mercosur: Herr Stellnberger, wir brauchen Sie, um den Pakt zu stoppen!.eml
29.71 KB, message/rfc822
Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:60.0) Gecko/20100101 Firefox/60.0

Steps to reproduce:

Debian Testing version 1:60.6.1-1

Actual results:

I always get a lot of emails from NGOs and environmental organizations and it regularly marks such emails as phishing attempts which is not true. See for the attached email. The email does not have hidden links or other issues and should thus not be marked as phishing attempt: https://support.mozilla.org/en-US/kb/thunderbirds-scam-detection

Expected results:

It is not right that normal emails from environmental organizations are marked as phishing attempts since that will keep people from opening and reading such emails. Real spam is not marked as such. I also see it very often that my own emails disappear as spam though I only use my email address estellnb@elstel.org for well chosen and well written emails.

Looking at the eml file you provided it is indeed triggering the scam detector.

There are a few up front things. The agent is "MailChimp Mailer - CID1c6797ada3cd3051a902" (not usually an issue) and that the "From" address is different than the sender (might be the issue). Could you look at some of the other emails that are marked as phishing attempts and see if there is a pattern?

Are all of them from a mass email service like Mail Chimp?
Does the FROM match the sender?

Also, if its not too much trouble, attach a few more emls from known good sources. The pattern may not be as obvious as the two questions I've asked.

Flags: needinfo?(estellnb)

Ok, I will post any new email that is marked as phishing attempt here. It only happens every now and then and I can not see for old emails which ones were marked as phishing attempt.

Flags: needinfo?(estellnb)

Josiah, could you look at this one.

Flags: needinfo?(jsbruner)

Yeah, I should be able to take a look at this "soon". Leaving needinfo to remind myself.

I do see this on TB 60.6.0. This is likely being marked as a scam due to some displayed URLs not matching the actual (underlying) URL.

Notably, near the middle of the email there exists what looks like a full URL: https://www.muttererde.at/.

However, you'll find that the link actually points to: https://muttererde.us12.list-manage.com/track/click?u=d8b4ba4e50a86b11eccb1055f&id=d366145234&e=cd3051a902

Thunderbird doesn't like this domain redirection. Bug 1476428 mitigated this by treating these mismatched domains differently. This issue should therefore be fixed in TB 68. Indeed, I tested this on my machine using thunderbird-68.0a1.en-US.mac.dmg here: https://archive.mozilla.org/pub/thunderbird/nightly/latest-comm-central/ and it seems to work (see incoming screenshot), albeit in an ugly fashion.

Elmar, can you please re-test this using a recent daily from using the above link?

Flags: needinfo?(estellnb)
Attached image TB_60.png
Flags: needinfo?(jsbruner)
Attached image TB_68.png

Issue appears fixed in TB 68

Many thanks, Josiah. Maybe it's worth waiting for TB 68 beta which will come out in a couple of weeks.

Yeah probably a good idea. Also, this bug might be a duplicate of other "email trackers being classified as phishing" bugs, but I don't have a bug # handy.

Status: UNCONFIRMED → NEW
Component: Untriaged → Message Reader UI
Depends on: 1476428
Ever confirmed: true
Component: Message Reader UI → Security

Since this is working on trunk -> WFM

Status: NEW → RESOLVED
Closed: 6 years ago
Resolution: --- → WORKSFORME

I don´t think that compiling a newer Thunderbird would help since I have already clicked the scam warning away. Perhaps you can import the eml on a newer version of Thunderbird yourself and see if it makes problems.

Flags: needinfo?(estellnb)

Here is another mail that should not have been marked as phishing attempt. As it seems the phishing filter may harm the political discourse.

Elmar, since this bug is fixed for the upcoming 68 release, we only need to know if there is any issues with that. The fix won't be backported to 60

The problem is being far from resolved. Today I have got an email from Greenpeace marked as phishing attempt.

Status: RESOLVED → REOPENED
Resolution: WORKSFORME → ---

It's already resolved, see comment 15. You can now download version 68 from https://www.thunderbird.net/ and try it out yourself.

Status: REOPENED → RESOLVED
Closed: 6 years ago5 years ago
Resolution: --- → WORKSFORME
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: