Closed
Bug 282500
Opened 19 years ago
Closed 19 years ago
Phishing Detector should look for HTML forms in e-mail
Categories
(Thunderbird :: General, defect)
Tracking
(Not tracked)
RESOLVED
FIXED
Thunderbird1.1
People
(Reporter: mscott, Assigned: mscott)
References
()
Details
Attachments
(1 file)
852 bytes,
patch
|
Details | Diff | Splinter Review |
One of the common scams we can't check for in the client today has to do with e-mail that has a form in it where you enter your user name and password for some site (like ebay) and then you submit the form. The good news is, right now we don't even support forms inside Thunderbird messages so the user can't actually submit private data, but we may actually fix that bug one day for RSS. I can't think of a good legitimate reason why an email would contain a form in it unless it was part of a phishing attack. We should improve our phishing detector to look for form elements in the message and flag the msg as a scam if we find one. From this phishing information site: "If the email has a form to complete for any information (including your user name and password, bank details, credit card details, etc, etc.) then it is NOT from the genuine site. None of the genuine sites would do this."
Assignee | ||
Updated•19 years ago
|
Status: NEW → ASSIGNED
Target Milestone: --- → Thunderbird1.1
Assignee | ||
Comment 1•19 years ago
|
||
the fix is very simple. the question is how many false positives will it generate :)
Assignee | ||
Comment 2•19 years ago
|
||
fixed. the only real problem I see with this is if someone forwards you a web page to look at and it has a form on it. i.e. where the form is part of a forwarded message....
Status: ASSIGNED → RESOLVED
Closed: 19 years ago
Resolution: --- → FIXED
In the interests of completeness, I feel I should note one legitimate use of forms in email: the online diary service www.livejournal.com will send you an email when someone replies to your journal entry or to one of your replies, and helpfully includes a reply-form right there in the email so that you can post a response without leaving your MUA.
The Livejournal use is very widespread, and it does concern me. One of the common complaints a lot of my friends who use Thunderbird have is that the LJ forms inside Thunderbird just don't work. Since most of the email these people get comes in the form of LJ comments, they simply use another client. I understand why forms aren't supported right now in Thunderbird, but assuming any form in an email to be a scam is a bit extreme IMO.
Assignee | ||
Comment 5•19 years ago
|
||
i haven't hooked up a pref yet to turn off the phishing detector but these more sophisticated live journal users could just turn this off.....
Comment 6•19 years ago
|
||
the Yahoo Mail web client post's a dialogue box whenever a user submits a form. I wonder if thunderbird should do something akin to that -- perhaps with a 'don't show this to me again for *this* form/from address/target' (or something to allow Livejournal users to exempt that case) box. Or, perhaps you could reuse the block images interface and preferences -- don't show images or forms unless its from an address book entry, with the same message interface. To have some users turn off a security preference all together to allow themselves 1 use case seems like asking for trouble.
Comment 7•19 years ago
|
||
(In reply to comment #6) > Or, perhaps you could > reuse the block images interface and preferences -- don't show images or forms > unless its from an address book entry, with the same message interface. This seems to me to be a good idea.
Comment 8•19 years ago
|
||
We run a online survey service where companies can email surveyforms to a selected group, for example a represenatative panel of users. We are not the only service of this kind either. Almost every event manager service has a similar solution, we counted at least a hundred different competitors late 2004 when we last checked the market. These services target people who have attended a seminar or retailers or customers who have agreed to answer questions once in a while for som rebate or so. Also we have a couple of customers who have ordering forms in their monthley newsletters so that interested customers can order directly. All this means that there have to be at least some way to say, "never warn about forms from this user/domain" so that recievers can choose to continue recieve those forms without trouble.
Comment 9•19 years ago
|
||
I too recently ran into something similar. I was asked to develop (yet another) forum application where moderators receive an email for every newly posted comment. This email contains the newly posted comment and buttons for approving and disapproving the comment. Because forms don't work in mailclients I had to solve it by using 2 links that are opened in a new browser window but one can easily imagine rich web applications where more feedback is requested from the user. In case of a forum one could think of a rating or immediate editing of the comment. In this scenario mail is used as the medium for pushing information that requires feedback to the user rather than polling from a browser. So IMHO the statement that there is no good legitimate reason why an email would contain a form doesn't hold. I like the idea of reusing the personal address book for allowing interactive mails, i.e. images, forms and possibly even JS though the latter might be too much of a security risk. For end users the personal address book might not be the obvious place to look for these settings though. A whitelist seems IMHO more appropriate but requires more work of course.
Comment 10•19 years ago
|
||
I work for a medium size web commerce company. Recently, one of the things the sales staff dreamed up was form email for a specific client for targetted members. I think the only thing that dissuaded their request finally was the fact that email forms are not widely supported. In the end, the tech department offered the solution of sending a HTML email with a customized link to a company internal website. There we have much better control on the form and can provide javascript client side validation. More and more web users expect this. From a consumer standpoint, I would think targetted emails that request a click to fill in more information is a better solution anyway. Providing a white list for those who wish simple forms in emails is a good solution. Personal preference is that forms should never be supported in the email client.
You need to log in
before you can comment on or make changes to this bug.
Description
•