Closed
Bug 370138
Opened 17 years ago
Closed 5 years ago
Disable links when message was detected as scam / phishing attempt (until user confirms: "no scam/phishing attempt")
Categories
(Thunderbird :: Mail Window Front End, enhancement)
Thunderbird
Mail Window Front End
Tracking
(Not tracked)
RESOLVED
WONTFIX
People
(Reporter: eddy_nigg, Unassigned)
References
(Blocks 1 open bug)
Details
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv:1.8.1.1) Gecko/20061208 Firefox/2.0.0.1 Build Identifier: Thunderbird should deactivate any clickable links within a mail message, once it detects it as scam / phishing. If the mail is reverted to "Not a Scam", than all links should be clickable again. Reproducible: Always Steps to Reproduce: 1. Receive a phishing mail 2. Detect it as scam 3. Click on the link within the mail Actual Results: Links are clickable even if TB detected it as a scamming/phishing attempt. Expected Results: No links should exist in such a mail and the links should be removed ot dead.
Comment 1•17 years ago
|
||
We already take certain actions based on junk or scam status, such as blocking images. We may even (I'm not sure) downgrade the display to the text version rather than the HTML version. Unfortunately, our converter which does this does autolinkification. So we'd need to find a way to switch that off on a per-message basis. I believe BenB knows about this area; CCing him. Gerv
Assignee: dveditz → mscott
Severity: normal → enhancement
Status: UNCONFIRMED → NEW
Component: Security → Mail Window Front End
Ever confirmed: true
QA Contact: thunderbird → front-end
Comment 2•17 years ago
|
||
Thanks for ccing me. FWIW, I have written both the Message Body | "As Simple HTML" and "As Plaintext" feature. I strong recommend against the "As Plaintext" feature, it's severely inferour, inherently, and is only there due to popular (uneducated) demand, not rational reason. "Simple HTML" is just as safe, and we should use that whereever possible. Re your question: It is possible to disable autolinking in the "As Plaintext" feature, with some code change to pass the converter a different flag. But it's also possible to entirely remove links in the "Simple HTML" feature, that would need only a preference change, just disallow <a href>. But that pref change would then also affect manual use of the feature, so it would need a code change with a flag, too. Re this bug in general: ("Thunderbird should deactivate any clickable links within a mail message, once it detects it as scam / phishing.".) This is not possible/practical unless the scam detector is a *whole* lot smarter and more failsafe. Currently, it's *really* really stupid, for example, whenever it sees an IP address, it thinks that's scam, and that's obviously way off and happens a lot for legitimate mails in practice. Filed bug 370141 for tracking and marking this bug dependent on that.
Depends on: 370141
Reporter | ||
Comment 3•17 years ago
|
||
The underlying engine for detecting scam/phishing can and should be improved perhaps, without relation what the expected behavior should be. E.g. there should be no clickable link once TB detected the message as scam. The same might be true also for junk, so it's not critical, just annoying. So this bug tries to address the fact, that a link remains clickable, even so the message was flagged down. This should not be, since one might overlook the "Is a scam" button or whatever there is. Improvement at the detector is another issue... Obviously one can revert the detection as "Not Scam" or "Not Junk", if flagged by mistake and with it have the links in the mail clickable again.
Comment 4•17 years ago
|
||
Ben: as long as we make it so that links are restored when you click "not a scam", then the reliability of the engine isn't too important. I don't think we should make this bug dependent on some vague "make the engine better" bug, otherwise it'll never happen. Gerv
Comment 5•17 years ago
|
||
> otherwise it'll never happen
Well, my hope is that the scam detector will be changed soon rather than never. It's really pretty useless as-is.
No longer depends on: 370141
Comment 6•17 years ago
|
||
As is, it displays a confirmation dialog if you click on a suspicious link, so I'm not sure this bug has much value. The thunderbird2 scam detector has support for similar scam detection as firefox2. But I think there is no provider yet, so the UI for it was recently commented out, was still there in beta2 i think.
Comment 7•17 years ago
|
||
Magnus: you are right, although users tend to ignore dialogs. Although that one does default to "No", which is better than the alternative. Gerv
Reporter | ||
Comment 8•17 years ago
|
||
Since I never click on a link which I don't know, I missed the dialog. Sorry about that, I just moved the mouse over the link and watched the URL in the status bar of TB, assumed that the link would just work. Therefore this is much better actually! However Gerv is right and I still believe, that disabling the links altogether would be better, and make them clickable again if reverted as non-scam. Another popup window where people can click through is perhaps not what we desire... Decision is up to you (BTW, I'm using TB 2 beta 2)
Updated•16 years ago
|
Assignee: mscott → nobody
Updated•11 years ago
|
Summary: Disable links when detected as scam / phishing attempt. → Disable links when message was detected as scam / phishing attempt (until user confirms: "no scam/phishing attempt")
Comment 10•5 years ago
|
||
I think the current warning dialog is better. That way people know why clicking wouldn't work.
Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → WONTFIX
You need to log in
before you can comment on or make changes to this bug.
Description
•