Visually mark links in emails where displayed HTTP address != actual HTTP address



MailNews Core
5 years ago
2 years ago


(Reporter: clemens, Unassigned)


Windows 7

Firefox Tracking Flags

(Not tracked)



(1 attachment)



5 years ago
Created attachment 660334 [details]
The fishing email as .eml in a ZIP file

User Agent: Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.1 (KHTML, like Gecko) Chrome/21.0.1180.89 Safari/537.1

Steps to reproduce:

I received an email in which Thunderbird displayed this text excerpt:

I’d like to keep in touch and see if Confio could be of help in the future. For now, you can get the freeware version of Ignite at, and let me know if you have any questions.
### PASTE END ###

Copying the link location reveal this:

### PASTE END ###

Actual results:

Thunderbird displays the "bogus" link without any warning and leaves it up to the user to realize that it is a fishing link.

The email did not get marked as a fishing or spam email.

Expected results:

Thunderbird should display the "bogus" link with a very prominent warning and not allow to open the link without yet another security reminder (to avoid accidentally clicking on the link, too!).

The email should get marked as a fishing or spam email.

The definition of a fishing link is debatable I guess. While the above seems like an "indirect" link with the "target" information contained in it, like it is often provided on the internet (last but not least in Google results), it would be safer to mark all of these as possibly bogus and dangerous rather than to be sorry once the damage is done.

And for non fishing users it should typically be possible to provide links that do not have this kind of suspicious indirection.
Component: Security → Backend
Product: Thunderbird → MailNews Core
Removing myslef on all the bugs I'm cced on. Please NI me if you need something on MailNews Core bugs from me.

Comment 2

2 years ago
A bit sad that such a phishing/security/privacy related issue gets no attention. Perhaps kill Thunderbird (or donate, for example to Apache Foundation) instead of hibernating it like you did in the past years.
You need to log in before you can comment on or make changes to this bug.