Closed Bug 254913 Opened 18 years ago Closed 16 years ago
add "phishing" detection to mail client
add "phishing" detection to thunderbird Talked to mscott, benb and lorenzo about this on friday. perhaps we could add some code to help detect potential phishing emails to thunderbird. for example: if href url is an ip address or if href url domain doesn't match href text domain, then it might be a phishing email. (or something, we could read up on http://www.antiphishing.org for what makes a phishing email.) We could then display a bar (like the "junk" or the "remote images" bar) to let users know "this could be a fake email intended to xyz." if we think it is a phish email, we could display in simple html, like we do when we think something is junk. the order of importance would be junk, phish, then remote images, so that we at most show one "bar" at a time.
*** Bug 254965 has been marked as a duplicate of this bug. ***
(In reply to comment #1) > *** Bug 254965 has been marked as a duplicate of this bug. *** Because your bug was for MailNews this one is not TB only, is it?
all: see also the descr of the dup bug. ostgote: Seth and me were talking about the same thing. This feature should be available in both Seamonkey and Thunderbird.
Summary: add "phishing" detection to thunderbird → add "phishing" detection to mail client
Here is a snippet that turned up in my inbox today: <strong>Click here >></strong> <a href="http://updatebilling.info/updates/" onMouseover="window.status=''; return true" onMouseout="window.status=' '; return true"> http://cgi.ebay.com/ws/eBayISAPI.dll?AccountUpdate?ID=54345622773</a><br> This would have been caught by the idea we were discussing of running the URL parser on the link text and seeing if it matched. This particular email also uses JS to obscure the link target. But if JS is enabled you're pretty much toast anyway, I think. In fact maybe we should have a warning there in the preferences panel?
See also bug 257307.
*** Bug 264629 has been marked as a duplicate of this bug. ***
solid phishing protection probably cannot be realized short of equipping the user with a (personally transferrable) security token - see RFE Bug 268835 for how mozilla could enable such a protection.
I was about to post a new bug (feature request) along these lines when I discovered this one. Here is my suggestion: - Whenever the text of an html link begins with "http(s)://" check to see if the linked text is equal to the target url. - If not, display a warning. It can be an icon next to the link or a "links in this email have been dissabled top screen as we have for extension installations in firefox). I think this should be rather simple. - If a link is something like <a href="http://somesite.com">Text</a>, no action is taken. - If <a href="http://somesite.com">http://somesite.com</a> (Linked text begins with http://) it is checked to see if both are the same. If they are the same, do nothing. If not, give a warning or disable links till aproved (as for extensions). This would be a great security feature, I belive.
Bug 116242 would be useful for this, it should find anything that looks reasonably like a URL to humans, even when in the middle of other text.
Hardware: PC → All
*** Bug 274171 has been marked as a duplicate of this bug. ***
Depends on: mailphish
Some IMAP Anchors seem to trigger the phishing warning when using an internal IP address (192.168.0.1) as IMAP server address. The anchor link was: imap://firstname.lastname@example.org:143/fetch%3EUID%3E.INBOX.Trash%3E5099#32816 And triggered the anti-phishing dialog reporting that the link was directed to 192.168.0.1 (our internal mail server). I think this warning should not be triggered when the target address is the same as the IMAP server.
an other bad email i saw while browsing through my Junk folder: (just the relevant part) <html><p><font face="Arial"><A HREF="https://online.regions.com/ibsregions/cmserver/users/default/confirm.cfm"><map name="FPMap0"><area coords="0, 0, 623, 349" shape="rect" href="(phishers Adress removed)"></map><img SRC="cid:part1.09010701.06040700@email@example.com" border="0" usemap="#FPMap0"></A></a></font></p><p><font color="#FFFFFC">in 1998 AOL BMW Male Will you, please... </font></p></html> when i moved over the image i saw the regions.com adress in the status bar, not the actual one PS i dont know if i sould post it here, or in Bug 279191
Re: comment 17. There is a specific bug for showing the wrong URL with MAP targets: https://bugzilla.mozilla.org/show_bug.cgi?id=245855.
*** Bug 297001 has been marked as a duplicate of this bug. ***
I'd second the suggestion in #12 -- agressively highlighting the situation where the URL in the text doesn't match the link would be a significant improvement. An option that disabled links with a mismatch (possibly restricting the comparison to the link's domain) would be excellent...
*** Bug 302023 has been marked as a duplicate of this bug. ***
Excuse me for the lame question, but how does this bug differ from the (resolved) #279191?
*** This bug has been marked as a duplicate of 279191 ***
Status: NEW → RESOLVED
Closed: 16 years ago
No longer depends on: mailphish
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.