Closed Bug 308366 Opened 19 years ago Closed 19 years ago

mail containing link to "local" numerical IP address should not be marked as scam

Categories

(Thunderbird :: Mail Window Front End, defect)

Product:
Thunderbird
Component:
Mail Window Front End
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Thunderbird2.0

People

(Reporter: u81239, Assigned: mscott)

References

Details

(Keywords: fixed-seamonkey1.1a, fixed1.8.1)

Attachments

(2 files, 3 obsolete files)

The email
3.67 KB, text/plain
Details
tweaked patch
1.37 KB, patch
Bienvenu
: superreview+
Details | Diff | Splinter Review
User-Agent: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8b4) Gecko/20050908 Firefox/1.4 Build Identifier: Mozilla/5.0 (Windows; U; Windows NT 5.1; nl; rv:1.8b4) Gecko/20050908 Firefox/1.4 Hey, The attached plain text email is marked as a scam by Thunderbird. I wonder why that is. Perhaps it is because Thunderbird itself ‘linkifies’ http://www.backbase.com to http://www.backbase.com/, which it subsequently detects as a scam attempt? Two solutions then: 1. it should add a trailing slash when linkifying the URL, and 2. the scam detection should not be triggered on plain text emails (unless there are specific detection mechanisms for that). ~Grauw Reproducible: Always Steps to Reproduce:
Attached file The email
Oh, and 3. the scam detection should not consider the difference between http://www.backbase.com and http://www.backbase.com/ as a scam attempt. ~Grauw
I'm guessing the scam detection is flagging on this link: http://192.168.50.109/#forum/messageThread.html?forum=1&thread=84[4] ^^^^^^^^^^^^^^
Yes, it seems so (because the bugmail also showed a scam bar). Or maybe it’s because of the # fragment identifier. We use links like that for Backbase Ajax applications, such as http://www.backbase.com/ . Anyways, it shouldn’t, the link is legitimate. ~Grauw
No, it seems to be the IP. I’m getting the scam warning again when I received this mail: "Your new WordPress blog has been successfully set up at: http://192.168.50.109/weblog/wp-admin" It’s getting pretty annoying... I really think the scam warning is giving way too many false positives like this. ~Grauw
Hyperlinks containing IP addresses instead of domain names are considered to be a common 'phishing' scheme, and therefore trigger the scam detector. I'm OK with this, but I think there should be a whitelist of some sort where I can identify an IP address as a "safe" IP address. When I click 'Not a scam', the IP addresses in the message should automatically be added to the whitelist.
That sounds reasonable. In addition to that, local network addresses (10.*.*.*, 192.168.*.*, and the other one) should be on that list by default. ~Grauw
Related to bug 305089, bug 320739 and bug 318916?
*** Bug 320739 has been marked as a duplicate of this bug. ***
-> new, adjusting summary
Status: UNCONFIRMED → NEW
Ever confirmed: true
Summary: Non-suspect plain text mail marked as scam → plain text mail containing link to numerical IP address should not be marked as scam
*** Bug 328455 has been marked as a duplicate of this bug. ***
Should be pretty easy for someone to modify phisingDetector.js to address comment 7
Keywords: helpwanted
Your wish is my command! This patch adds a check on whether the IP address is a local IP address (one of: 10.0.0.0/8, 169.254.0.0/16, 172.16.0.0/20 or 192.168.0.0/16), and only marks the address as a phishing address when it is not one of those. ~Grauw
Attachment #228173 - Flags: review?
Attachment #228173 - Flags: review? → review?(mscott)
(nit: tab->spaces)
Attachment #228173 - Attachment is obsolete: true
Attachment #228174 - Flags: review?(mscott)
Attachment #228173 - Flags: review?(mscott)
Comment on attachment 228174 [details] [diff] [review] Patch: do not mark as phishing if local IP address nice. I wish this happened with all of my bugs! This patch looks good, one minor change: if (hostNameIsIPAddress(hrefURL.host, unobscuredHostName)) - phishingType = kPhishingWithIPAddress; + if (hostNameIsHarmfulIPAddress(unobscuredHostName)) + phishingType = kPhishingWithIPAddress; can be just: if (hostNameIsIPAddress(hrefURL.host, unobscuredHostName) && hostNameIsHarmfulIPAddress(unobscuredHostName)) Do you need me to checkin this patch or do you have CVS access? Thanks again!
And maybe change if (ipComponents[0] == 172 && (ipComponents[1] >= 16 && ipComponents[1] < 32)) to if (ipComponents[0] == 172 && ipComponents[1] >= 16 && ipComponents[1] < 32) ? It doesn’t really matter, I suppose. But no, I don’t have CVS access, so if you could please check it in :). ~Grauw
Attached patch tweaked patchSplinter Review
lhostl, what do you think of this? It should do the same thing, but the code is a little bit tighter.
I知 fine with it :). (I do think though that the initial one, though not as tight, was a little bit better readable :).)
(In reply to comment #15) > This patch looks good, one minor change: > > if (hostNameIsIPAddress(hrefURL.host, unobscuredHostName)) > - phishingType = kPhishingWithIPAddress; > + if (hostNameIsHarmfulIPAddress(unobscuredHostName)) > + phishingType = kPhishingWithIPAddress; > > can be just: > if (hostNameIsIPAddress(hrefURL.host, unobscuredHostName) && > hostNameIsHarmfulIPAddress(unobscuredHostName)) Actually, that’s even a necessary change, because there’s an ‘else if’ after it, and it would ‘else’ on the inner if and not the outer one. ~Grauw
*** Bug 343746 has been marked as a duplicate of this bug. ***
Attachment #228174 - Attachment is obsolete: true
Attachment #228174 - Flags: review?(mscott)
Attachment #228195 - Flags: superreview?(bienvenu)
Attachment #228195 - Flags: superreview?(bienvenu) → superreview+
Status: NEW → RESOLVED
Closed: 19 years ago
Keywords: fixed1.8.1
Resolution: --- → FIXED
Target Milestone: --- → Thunderbird2.0
(In reply to comment #7) > That sounds reasonable. In addition to that, local network addresses (10.*.*.*, > 192.168.*.*, and the other one) should be on that list by default. > > ~Grauw Any IP address in a plain text message should me marked as ok, only for HTML messages the default allowed ranges should be as mentioned. In plain text messages, you can simply SEE the URL is numerical. Only in HTML messages the URL can be scammed. A scam prevention feature should only be triggered in case of scams, not in cases one can simply see what the actual URL is.
Summary: plain text mail containing link to numerical IP address should not be marked as scam → plain text mail containing link to "local" numerical IP address should not be marked as scam
In case you change the summary of this bug to make explicitly clear you mean only local IP's should be whitelisted, then the bug 320739 is NOT a duplicate of this bug. In my bug report #320739 I really meant to comment as I did hear: any plain text message should not be marked as scams, only HTML message should be. https://bugzilla.mozilla.org/show_bug.cgi?id=320739
TB part: *3 space nits cleanup. SM part: Port/Copy this bug fix to SeaMonkey.
Attachment #229133 - Flags: superreview?(bienvenu)
Attachment #229133 - Flags: review?(bienvenu)
OS: Windows XP → All
Hardware: PC → All
Version: unspecified → Trunk
Attachment #229133 - Flags: superreview?(bienvenu)
Attachment #229133 - Flags: superreview+
Attachment #229133 - Flags: review?(bienvenu)
Attachment #229133 - Flags: review+
Comment on attachment 229133 [details] [diff] [review] (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28 & 30] Checkin: { 2006-07-20 09:55 bugzilla%standard8.demon.co.uk mozilla/mail/base/content/phishingDetector.js 1.18 2006-07-20 09:55 bugzilla%standard8.demon.co.uk mozilla/mailnews/base/resources/content/phishingDetector.js 1.10 } 'approval1.8.1=?': (SeaMonkey only) Simple enhancement, ported from Thunderbird, no risk.
Attachment #229133 - Attachment description: (Bv1) <phishingDetector.js> → (Bv1) <phishingDetector.js> [Checkin: Comment 24]
Attachment #229133 - Flags: approval1.8.1?
Attachment #229133 - Flags: approval1.8.1? → approval-thunderbird2?
Comment on attachment 229133 [details] [diff] [review] (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28 & 30] Mike changed my resquest from |approval1.8.1? | to |approval-thunderbird2?|: I just want to make it explicit that the (real) code change is in the SeaMonkey part only.
Comment on attachment 229133 [details] [diff] [review] (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28 & 30] I can't actually approve the patch for 1.8.1 for you serge, I don't have access to that flag anymore. But I can fake the system out by approving it for tb2 since this is a mailnews only change that doesn't effect firefox.
Attachment #229133 - Flags: approval-thunderbird2? → approval-thunderbird2+
Oh, I didn't know: thanks to both of you, then :-)
Whiteboard: [checkin needed (1.8 branch): Bv1]
Checked in the mailnews part of the patch on the branch, with a=Neil. mozilla/mailnews/base/resources/content/phishingDetector.js 1.1.2.7
Keywords: fixed-seamonkey1.1a
Whiteboard: [checkin needed (1.8 branch): Bv1]
Attachment #229133 - Attachment description: (Bv1) <phishingDetector.js> [Checkin: Comment 24] → (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28]
Whiteboard: [checkin needed (1.8 branch): Bv1 (/mail/ part]
Whiteboard: [checkin needed (1.8 branch): Bv1 (/mail/ part]
Adjusting summary for what this actually did.
Summary: plain text mail containing link to "local" numerical IP address should not be marked as scam → mail containing link to "local" numerical IP address should not be marked as scam
Comment on attachment 229133 [details] [diff] [review] (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28 & 30] Checkin: { 2006-07-25 17:22 gavin%gavinsharp.com mozilla/mail/base/content/phishingDetector.js 1.12.2.6 MOZILLA_1_8_BRANCH 3/3 Fix whitespace nits to sync branch/trunk. }
Attachment #229133 - Attachment description: (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28] → (Bv1) <phishingDetector.js> [Checkin: Comment 24 & 28 & 30]
Attachment #229133 - Attachment is obsolete: true
You need to log in before you can comment on or make changes to this bug.

Attachment

General

Creator:
Created:
Updated:
Size: