Bug 510551

Summary: False positive scam detection when an <a> tag contains the "title" attribute of which the content is the URL with uppercase letters
Product: [Applications] kmail2 Reporter: Huanyu Liu <1293660441>
Component: generalAssignee: kdepim bugs <pim-bugs-null>
Status: RESOLVED FIXED    
Severity: normal    
Priority: NOR    
Version First Reported In: 6.5.2   
Target Milestone: ---   
Platform: Arch Linux   
OS: Linux   
Latest Commit: https://invent.kde.org/pim/messagelib/-/commit/1ece3218f0f154961c7c24c0a5ba9259c7f9e501 Version Fixed/Implemented In: 25.08.3
Sentry Crash Report:
Attachments: False positive scam mail

Description Huanyu Liu 2025-10-13 02:41:38 UTC 
Created attachment 185725 [details]
False positive scam mail

SUMMARY
When viewing a HTML message, if an <a> tag contains the "title" attribute of which the content is the URL with uppercase letters, then KMail warns about scam, despite the fact that the URL in the "title" attribute is identical to the actual one.

Here is an example snippet, which is also included in the attached mbox file:
<a href="https://example.org/A" title="https://example.org/A">https://example.org/A</a>

STEPS TO REPRODUCE
0. Make sure scam detection is enabled
1. Download the attached sample file
2. Open it with KMail
3. View it in the HTML mode, if it is not the default behavior

OBSERVED RESULT
KMail warns about a possible scam, insisting that there is a link which points to https://example.org/a but reads as https://example.org/A (notice how the uppercase letters are converted to the lowercase ones)

EXPECTED RESULT
No scam should be reported

SOFTWARE/OS VERSIONS
Operating System: Arch Linux 
KDE Plasma Version: 6.4.5
KDE Frameworks Version: 6.18.0
Qt Version: 6.10.0
Kernel Version: 6.17.1-arch1-1 (64-bit)
Graphics Platform: Wayland

ADDITIONAL INFORMATION
There are some real-world HTML mail clients that indeed compose links in this way, which is the reason why I found this bug.
Comment 1 Laurent Montel 2025-10-13 06:49:10 UTC 
Git commit 3e6c40b5da57ad626f81ff8b29eae12147bf8682 by Laurent Montel.
Committed on 13/10/2025 at 06:48.
Pushed by mlaurent into branch 'release/25.08'.

Add autotest for BUG-510551 (false positive)

M  +3    -0    messageviewer/src/scamdetection/autotests/scamdetectionwebenginetest.cpp

https://invent.kde.org/pim/messagelib/-/commit/3e6c40b5da57ad626f81ff8b29eae12147bf8682
Comment 2 Laurent Montel 2025-10-13 06:53:21 UTC 
Git commit 4de0a2eb4d436e916b5ba1ece3fef08c243d0119 by Laurent Montel.
Committed on 13/10/2025 at 06:53.
Pushed by mlaurent into branch 'master'.

Add autotest for BUG-510551 (false positive)
(cherry picked from commit 3e6c40b5da57ad626f81ff8b29eae12147bf8682)

M  +3    -0    messageviewer/src/scamdetection/autotests/scamdetectionwebenginetest.cpp

https://invent.kde.org/pim/messagelib/-/commit/4de0a2eb4d436e916b5ba1ece3fef08c243d0119
Comment 3 Laurent Montel 2025-10-13 22:20:41 UTC 
Git commit 9d6fa3d67875a1599c2c2bd1d10a815d2b109f57 by Laurent Montel.
Committed on 13/10/2025 at 22:20.
Pushed by mlaurent into branch 'release/25.08'.

Fix bug 510551: False positive scam detection when an <a> tag contains the "title" attribute of which the content is the URL with uppercase letters
FIXED-IN: 25.08.3

M  +0    -1    messageviewer/src/scamdetection/autotests/scamdetectionwebenginetest.cpp
M  +2    -1    messageviewer/src/scamdetection/scamdetectionwebengine.cpp

https://invent.kde.org/pim/messagelib/-/commit/9d6fa3d67875a1599c2c2bd1d10a815d2b109f57
Comment 4 Laurent Montel 2025-10-13 22:21:43 UTC 
Git commit 1ece3218f0f154961c7c24c0a5ba9259c7f9e501 by Laurent Montel.
Committed on 13/10/2025 at 22:21.
Pushed by mlaurent into branch 'master'.

Fix bug 510551: False positive scam detection when an <a> tag contains the "title" attribute of which the content is the URL with uppercase letters
FIXED-IN: 25.08.3
(cherry picked from commit 9d6fa3d67875a1599c2c2bd1d10a815d2b109f57)

M  +0    -1    messageviewer/src/scamdetection/autotests/scamdetectionwebenginetest.cpp
M  +2    -1    messageviewer/src/scamdetection/scamdetectionwebengine.cpp

https://invent.kde.org/pim/messagelib/-/commit/1ece3218f0f154961c7c24c0a5ba9259c7f9e501