Closed Bug 1943017 Opened 9 months ago Closed 9 months ago

Thunderbird doesn't display a forgery warning if DKIM heavily suggests something fishy going on

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
Thunderbird 128
Type:
defect

Tracking

(Not tracked)

Status:
RESOLVED DUPLICATE of bug 265226

People

(Reporter: el, Unassigned)

Details

User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:134.0) Gecko/20100101 Firefox/134.0

Steps to reproduce:

  1. Receive e-mails and check their DKIM status and how that relates to the danger of the e-mail. Observe that Thunderbird marks none(!) of the e-mails with obvious DKIM issues as suspicious in any way.

Actual results:

I have been using an addon for a while now to see what the DKIM status is of messages in real life practice with a heavily used mail account, and I discovered that DKIM headers other than dkim=pass are only present for messages that: 1. are obvious and really dangerous(!) forged spam e-mails that Thunderbird doesn't make as potentially suspicious any way whatsoever, 2. mails from misconfigured mailing lists (not newsletters!) that no beginner user would ever use these days.

Expected results:

It seems questionable and worryingly damaging to regular users to me, that a non-passing DKIM Authentication-Results header in the e-mail's source and/or a missing DKIM signature, whether the header was set by a trustworthy server or not, isn't pointed out with some sort of potential forgery warning that can be disabled in the settings.

Heavy mailing lists users who likely would be advanced users who are better able to tell what a scam e-mail is, could disable the warning if desired. And all the newbie users who are likely to be easily tricked by scams, would be saved from potentially rather dangerous and obvious scams.

As a side effect, mailing lists might also be motivated to be configured better to make it more obvious the e-mail has been altered in the process, for example by adding a suffix to the "FROM" field or moving the original sender to "Reply-To" and setting "FROM" to the mailing list, which would more accurately reflect how most mailing lists work. This seems to already be a commonly supported configuration for modern mailing list software.

(Please note I'm not suggesting Thunderbird repeats a local DKIM signature check. I'm merely suggesting that it should process "Authentication-Results" DKIM headers set by the delivering mail servers, and a completely missing DKIM signature, on incoming e-mails.)

It's still covered by bug 265226

Status: UNCONFIRMED → RESOLVED
Closed: 9 months ago
Duplicate of bug: 265226
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.