Scammers often use title in links so to disguise the href, and KMail doesn't do anything to protect from this. When hovering over a link in an HTML mail the title is shown both in the hover tip and in the status line.
Steps to Reproduce:
1. Open a scam mail such as the attached one.
2. Hover over the links to here linkedin.com
3. Both hover tip and status line shows the title, not the link.
As described in reproduction steps.
The link should be shown both in hover tip and status line.
I'm using KMail from within Kontact but that shouldn't matter.
On purpose I haven't filed this as a feature request, because I think it's a basic security precaution that should be fixed.
Created attachment 74328 [details]
Example fishing attempt mail.
And what do you want that we do ?
Oh, I'm sorry if I didn't write that: Show the actual link in the href on hover instead of the title.
Example anchor link (dunno if bugzilla allows markup?)
<a href="http://http://rakibkhan.com/boWzhT98/index.html/" title="http://www.linkedin.com">Adjust your message settings.</a>
On hover show the possibly malicious link http://http://rakibkhan.com/boWzhT98/index.html instead of http://www.linkedin.com
I'm sorry to bother again, but I really think this is a grave security issue. MUAs should help protect users against fishing attempts, and currently KMail does the opposite.
In Denmark we have a lot of mails spoofing e.g. the tax authorities addresses, and the general advice is to hover over the links in the mail to see where they point. I KMail this doesn't work, so you have to view the source of the mail.
Sorry I didn't have time to do it.
Will do it today or tomorrow.
Will implement scam search feature for 4.11
Great! I didn't mean to bug you, it just looked like it wasn't a priority.
Git commit d598e27a603cce276068898cf8d244f51b1003ce by Montel Laurent.
Committed on 19/03/2013 at 16:51.
Pushed by mlaurent into branch 'KDE/4.10'.
Fix Bug 307818 - Fishing protection: KMail displays title in link not href
always shows url and not title
M +0 -4 messageviewer/viewer_p.cpp
Git commit a40573f3758643708da5051df438daf4704da678 by Montel Laurent.
Committed on 20/03/2013 at 08:07.
Pushed by mlaurent into branch 'master'.
Implement scam detection. Now we have a warning when we detect that
a message can be a scam.
(for the moment we detect if an anchor has a title and it shows an url
which is not the url define in href)
We will improve it.
M +9 -0 messageviewer/mailwebview.h
M +15 -2 messageviewer/mailwebview_webkit.cpp
M +17 -12 messageviewer/scamdetection/scamdetection.cpp
M +3 -5 messageviewer/scamdetection/scamdetection.h
M +5 -0 messageviewer/scamdetection/scamdetectionwarningwidget.cpp
M +3 -0 messageviewer/scamdetection/scamdetectionwarningwidget.h
M +1 -0 messageviewer/viewer_p.cpp
M +4 -1 messageviewer/webkitparthtmlwriter.cpp
Thomas in 4.11 I created a scam detector.
It's the beginning but I will add more check.
(In reply to comment #9)
> Thomas in 4.11 I created a scam detector.
> It's the beginning but I will add more check.
This is awesome. More than I had asked for :)
Now we have a widget to inform that message is perhaps a scam message.
I will investigate more rules to check them.
Hey, that's really cool! Thank you!
But please check out bug #324103 as this could lead to misunderstandings by people not being aware of technical details.