Bug 163235

Summary: No phishing protection for links in HTML messages
Product: [Unmaintained] kmail Reporter: Robert Hogan <robert>
Component: generalAssignee: kdepim bugs <kdepim-bugs>
Status: RESOLVED UNMAINTAINED    
Severity: major CC: bjoern, kollix, lemma
Priority: NOR Keywords: triaged
Version: 1.9.9   
Target Milestone: ---   
Platform: Slackware   
OS: Linux   
Latest Commit: Version Fixed In:
Sentry Crash Report:
Attachments: Phishing email - forged target displays in status bar

Description Robert Hogan 2008-06-04 22:34:29 UTC 
Version:           1.9.9 (using KDE 3.5.9)
Installed from:    Slackware Packages
OS:                Linux

The html snippet:

<P><U><SPAN style=3D'color:blue'><a href=3D"http://www5.abbey.net.cfm93.net/servlet/?host=3D22shfdsnDshfdsnwhacrOrdn">http://ww2.abbeynational.net/servlet/?cookie=3D22shfdsnDshfdsnwhacrOrdn</A></SPAN></U></P>

results in the forged target being displayed in the status bar, rather than the actual target.

The full html snippet is:

<!DOCTYPE HTML PUBLIC "-//W3C//DTD HTML 4.0 Transitional//EN">
<HTML><HEAD>
<META http-equiv=3DContent-Type content=3D"text/html; charset=3Diso-8859-1">
<META content=3D"MSHTML 6.00.2900.2722" name=3DGENERATOR>
<title>Abbey: Private and Corporate Details Confirmation Webpage</title>
<STYLE></STYLE>
</HEAD>
<BODY>
<DIV>
<P><SPAN><img id=3D"qhc99c71" SRC=3D"cid:000901c8bef5$ab96040b$7301260a@marica"></SPAN></P>
<P><B><SPAN>Dear Abbey Private and Corporate Banking customer!</SPAN></b></p>
<P><SPAN>Our Maintenance Subdivision is doing a planned Digital Banking Service upgrade</SPAN></p>
<P><SPAN>By clicking on the link below you will open the procedure of the user details verification:</SPAN></p>
<P><U><SPAN style=3D'color:blue'><a href=3D"http://www5.abbey.net.cfm93.net/servlet/?host=3D22shfdsnDshfdsnwhacrOrdn">http://ww2.abbeynational.net/servlet/?cookie=3D22shfdsnDshfdsnwhacrOrdn</A></SPAN></U></P>
<P><SPAN>These directions are to be e-mailed and followed by all members of the Abbey National On-line Banking</SPAN></p>
<P><SPAN>Abbey National does apologize for any problems caused to you, and is very grateful for your collaboration.</SPAN></p>
<P><SPAN>If you are not customer of Abbey eBanking please disregard this e-mail!</SPAN></p>
<P><SPAN>*** This is an automated message, please do not reply ***</SPAN></P>
<P><SPAN style=3D'font-size:8.5pt;color:#003399'>(c) 2008 Abbey Electronic Banking. All Rights Reserved.</SPAN></p>
</DIV>
</BODY>
</HTML>
Comment 1 Robert Hogan 2008-06-04 22:36:14 UTC 
Created attachment 25125 [details]
Phishing email - forged target displays in status bar
Comment 2 Will Stephenson 2008-06-05 16:24:25 UTC 
Although we do warn by default not to trust the content of HTML mail, people will be turning on Prefer HTML to Plain Text by default nowadays.  We should do something about phishing.  I wonder if Konqueror has a solution?
Comment 3 Thomas McGuire 2008-06-07 20:33:16 UTC 
This works for me with the KDE4 version, the phishing URL is displayed in the statusbar.
Will, did you test this?

The ironic thing about the attached mail is that the plain text part of the mail doesn't have the phising URL in it, so by default it is not even possible to go to the phishing website.
Comment 4 Robert Hogan 2008-06-07 22:14:27 UTC 
Thomas: This bug was not raised against KDE4 but KDE 3.5.9. Closing this bug as WORKSFORME is incorrect.
Comment 5 Robert Hogan 2008-06-29 01:11:45 UTC 
This bug was not raised against KDE4 but KDE 3.5.9. Closing this bug as WORKSFORME is incorrect.
Comment 6 Martin Koller 2009-08-29 00:21:10 UTC 
There will be no more fixes in the KDE 3.x branches.
You can leave it open, but if you do not fix it, it will probably stay there forever ...
Therefore, please close it. We've much too much open bugs which are really problems even with kmail in KDE4
Comment 7 Björn Ruberg 2010-01-26 00:43:56 UTC 
KDE 3.5 is unmaintained - no fixes and backports from the team anymore