Closed Bug 691901 Opened 12 years ago Closed 5 years ago

Facebook URLs generating a scam warning

Categories

(Thunderbird :: Security, defect)

Product:
Thunderbird
Component:
Security
Version:
9 Branch
Platform:
x86
macOS
Type:
defect
Priority:
Not set
Severity:
normal

Tracking

(Not tracked)

Status:
RESOLVED FIXED
Milestone:
Thunderbird 68.0

People

(Reporter: mitra_lists, Unassigned)

References

(Depends on 2 open bugs, Blocks 1 open bug)

Details

(Whiteboard: [fixed by bug 1476428]) 

I think something has changed in the algorithm that detects potential scam URLs. A lot of facebook URLs are generating this warning at the moment . 

I'm mostly seeing it on URLs into private groups - such as the following (I've changed some of the strings since this is a private group).

http://www.facebook.com/n/?groups%1234567%2F&id=11111&mid=98765&bcode=AbCdE&n_m=xxx%40yyy.biz 

The result is a lot more dialogue boxes to click through, and a high likelihood that a real scam URL will just get clicked through without thought.
Can you try to find out when this regressed ? or is it the url sent by facebook that changed ?
Sorry Ludovic, but I don't have old versions installed, so regression is tough for me, though its easy enough to replicate for anyone with multiple versions.

My guess is that it started occuring about a week before I posted.
(In reply to Mitra Ardron from comment #2)
> Sorry Ludovic, but I don't have old versions installed, so regression is
> tough for me, though its easy enough to replicate for anyone with multiple
> versions.
> 
> My guess is that it started occuring about a week before I posted.

and can you take a old email and a new one and paste two url examples for instance ? (or send them to me if you need to protect some privacy)
Ok - bad 
http://www.facebook.com/n/?groups%2F121234567891323%2F&id=170211234567899&mid=1234567890abcdefgihjklmnopq&bcode=mRejAAaaz&n_m=mitra%40mitra.biz

but I've got others with identical format URLs which are "good", so it might not be the URl that is the issue.


(I've changed the codes since both are private events/groups, though not sensitive)

Note that the former message showed a "scam detection" warning, the latter didn't.

Ludovic - I've emailed you the unedited messages.
Yep been unable to find a pattern :(
Are you able to repeat it? i.e. status->NEW ? 

If so then maybe the Warnings log should be showing why a scam is detected. I don't know how scam-detection works, i.e. if its the message that is seen as a scam or the URL.
Status: UNCONFIRMED → NEW
Ever confirmed: true
Blocks: mail-scam
Usual cause is address mismatch (from what you see). You can play wit the mail.phishing.detection.* prefs to see if that's it.
If Magnus is correct and the link points to a different address than it says in the text shown for the link, this may be bug 296952. To be conclusive, we would need to see both the link itself (which you already posted) along with the text on top of it (i.e., the full <a href=...>...</a> part of the HTML code).
Here is one: (copied out of View-Source) along with all the strange 3D and = characters in it. 

<a href=3D"http://www.facebook.com/l/nAQHSLG9c/www.yout=
ube.com/watch?v=3DP6wkjWxEbKY" style=3D"color:#3b5998;text-decoration:none=
;">http://www.youtube.com/watch?v=3DP6wkjWxEbKY</a>
That's actually correct quoted-printable encoding where the "=" at the end of each line serves as a continuation character to combine the split lines. Thus, hovering over the link should show the expected complete link in the status bar, i.e.,
http://www.facebook.com/l/nAQHSLG9c/www.youtube.com/watch?v=P6wkjWxEbKY
(note that the "=3D" resolves to the "=" which is normal too).

The reason why this triggers the scam warning is that the link goes to the domain www.facebook.com whereas the text claims it would link to www.youtube.com thus there is a mismatch. Now, if bug 320351 /was/ solved, one could teach the scam detector that this redirection is considered valid and thus should pass the test, but it isn't implemented yet, consequently no training is currently possible.
WIth the unlikelyhood of a 7-year old bug getting fixed, shouuldnt the scam detecter either 
a) be programmed with the common notifications from high-volume sites (like Facebook) 
or 
b) default to not detecting scams since it clearly does such a bad job of it that its completely useless.
Ideally there should be three supporting mechanisms, one being a fixed list that could be bundled to the TB installation (which would need to be maintained by Mozilla), another a global phishing list similar to what Firefox does (which may require a separate agreement with Google, that issue is tracked in bug 368924 and bug 347218), and then a learning list trained by the user (bug 320351). Switching off the scam filter by default for the time being is bug 623198.

Neither of those shows any significant recent activity, thus I don't know what the current status of this feature is.
Depends on: 938902
What we probably should do is to not mark mismatched addresses as scam (since it's used fairly much in marketing) but show the warning alert if you do click on the link.
(In reply to Magnus Melin from comment #14)
> What we probably should do is to not mark mismatched addresses as scam
> (since it's used fairly much in marketing) but show the warning alert if you
> do click on the link.

I think we should still show a warning, but reduce the severity of the text. We don't currently do a good job of explaining *why* we think a message is a scam.
(In reply to Jim Porter (:squib) from comment #15)
> (In reply to Magnus Melin from comment #14)
> > What we probably should do is to not mark mismatched addresses as scam
> > (since it's used fairly much in marketing) but show the warning alert if you
> > do click on the link.
> 
> I think we should still show a warning, but reduce the severity of the text.
> We don't currently do a good job of explaining *why* we think a message is a
> scam.

bug 326829, bug 324820
Depends on: 326829
See Also: → 324820, 326829
See Also: 326829

Closing per "I think its closable if other people aren't seeing problems. - Mitra"

I think fixed by bug 1476428.

Status: NEW → RESOLVED
Closed: 5 years ago
Resolution: --- → FIXED
Whiteboard: [fixed by bug 1476428]
Target Milestone: --- → Thunderbird 68.0
You need to log in before you can comment on or make changes to this bug.