Closed Bug 282500 Opened 19 years ago Closed 19 years ago

Phishing Detector should look for HTML forms in e-mail

Categories

(Thunderbird :: General, defect)

x86
Windows XP
defect
Not set
normal

Tracking

(Not tracked)

RESOLVED FIXED
Thunderbird1.1

People

(Reporter: mscott, Assigned: mscott)

References

()

Details

Attachments

(1 file)

One of the common scams we can't check for in the client today has to do with
e-mail that has a form in it where you enter your user name and password for
some site (like ebay) and then you submit the form. 

The good news is, right now we don't even support forms inside Thunderbird
messages so the user can't actually submit private data, but we may actually fix
that bug one day for RSS.

I can't think of a good legitimate reason why an email would contain a form in
it unless it was part of a phishing attack. 

We should improve our phishing detector to look for form elements in the message
and flag the msg as a scam if we find one.

From this phishing information site:

"If the email has a form to complete for any information (including your user
name and password, bank details, credit card details, etc, etc.) then it is NOT
from the genuine site. None of the genuine sites would do this."
Status: NEW → ASSIGNED
Target Milestone: --- → Thunderbird1.1
Attached patch the fixSplinter Review
the fix is very simple. 

the question is how many false positives will it generate :)
fixed. 

the only real problem I see with this is if someone forwards you a web page to
look at and it has a form on it. i.e. where the form is part of a forwarded
message....
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
In the interests of completeness, I feel I should note one legitimate use of
forms in email: the online diary service www.livejournal.com will send you an
email when someone replies to your journal entry or to one of your replies, and
helpfully includes a reply-form right there in the email so that you can post a
response without leaving your MUA.
The Livejournal use is very widespread, and it does concern me.  One of the
common complaints a lot of my friends who use Thunderbird have is that the LJ
forms inside Thunderbird just don't work.  Since most of the email these people
get comes in the form of LJ comments, they simply use another client.

I understand why forms aren't supported right now in Thunderbird, but assuming
any form in an email to be a scam is a bit extreme IMO.
i haven't hooked up a pref yet to turn off the phishing detector but these more
sophisticated live journal users could just turn this off.....
the Yahoo Mail web client post's a dialogue box whenever a user submits a form.
 I wonder if thunderbird should do something akin to that -- perhaps with a
'don't show this to me again for *this* form/from address/target' (or something
to allow Livejournal users to exempt that case) box.  Or, perhaps you could
reuse the block images interface and preferences -- don't show images or forms
unless its from an address book entry, with the same message interface.  To have
some users turn off a security preference all together to allow themselves 1 use
case seems like asking for trouble.  
(In reply to comment #6)
> Or, perhaps you could
> reuse the block images interface and preferences -- don't show images or forms
> unless its from an address book entry, with the same message interface.

This seems to me to be a good idea.
We run a online survey service where companies can email surveyforms to a
selected group, for example a represenatative panel of users. We are not the
only service of this kind either. Almost every event manager service has a
similar solution, we counted at least a hundred different competitors late 2004
when we last checked the market.

These services target people who have attended a seminar or retailers or
customers who have agreed to answer questions once in a while for som rebate or so.

Also we have a couple of customers who have ordering forms in their monthley
newsletters so that interested customers can order directly.

All this means that there have to be at least some way to say, "never warn about
forms from this user/domain" so that recievers can choose to continue recieve
those forms without trouble.
I too recently ran into something similar. I was asked to develop (yet another)
forum application where moderators receive an email for every newly posted
comment. This email contains the newly posted comment and buttons for approving
and disapproving the comment. Because forms don't work in mailclients I had to
solve it by using 2 links that are opened in a new browser window but one can
easily imagine rich web applications where more feedback is requested from the
user. In case of a forum one could think of a rating or immediate editing of the
comment. In this scenario mail is used as the medium for pushing information
that requires feedback to the user rather than polling from a browser. So IMHO
the statement that there is no good legitimate reason why an email would contain
a form doesn't hold.

I like the idea of reusing the personal address book for allowing interactive
mails, i.e. images, forms and possibly even JS though the latter might be too
much of a security risk. For end users the personal address book might not be
the obvious place to look for these settings though. A whitelist seems IMHO more
appropriate but requires more work of course.
I work for a medium size web commerce company.  Recently, one of the things the
sales staff dreamed up was form email for a specific client for targetted
members. I think the only thing that dissuaded their request finally was the
fact that email forms are not widely supported.  In the end, the tech department
offered the solution of sending a HTML email with a customized link to a company
 internal website.  There we have much better control on the form and can
provide javascript client side validation.  More and more web users expect this.
 From a consumer standpoint, I would think targetted emails that request a click
to fill in more information is a better solution anyway.

Providing a white list for those who wish simple forms in emails is a good
solution.  Personal preference is that forms should never be supported in the
email client.
You need to log in before you can comment on or make changes to this bug.