Scammers often use title in links so to disguise the href, and KMail doesn't do anything to protect from this. When hovering over a link in an HTML mail the title is shown both in the hover tip and in the status line. Reproducible: Always Steps to Reproduce: 1. Open a scam mail such as the attached one. 2. Hover over the links to here linkedin.com 3. Both hover tip and status line shows the title, not the link. Actual Results: As described in reproduction steps. Expected Results: The link should be shown both in hover tip and status line. I'm using KMail from within Kontact but that shouldn't matter. On purpose I haven't filed this as a feature request, because I think it's a basic security precaution that should be fixed.
Created attachment 74328 [details] Example fishing attempt mail.
And what do you want that we do ?
Oh, I'm sorry if I didn't write that: Show the actual link in the href on hover instead of the title. Example anchor link (dunno if bugzilla allows markup?) <a href="http://http://rakibkhan.com/boWzhT98/index.html/" title="http://www.linkedin.com">Adjust your message settings.</a> On hover show the possibly malicious link http://http://rakibkhan.com/boWzhT98/index.html instead of http://www.linkedin.com
I'm sorry to bother again, but I really think this is a grave security issue. MUAs should help protect users against fishing attempts, and currently KMail does the opposite. In Denmark we have a lot of mails spoofing e.g. the tax authorities addresses, and the general advice is to hover over the links in the mail to see where they point. I KMail this doesn't work, so you have to view the source of the mail.
Sorry I didn't have time to do it. Will do it today or tomorrow. Will implement scam search feature for 4.11 Regards.
Great! I didn't mean to bug you, it just looked like it wasn't a priority.
Git commit d598e27a603cce276068898cf8d244f51b1003ce by Montel Laurent. Committed on 19/03/2013 at 16:51. Pushed by mlaurent into branch 'KDE/4.10'. Fix Bug 307818 - Fishing protection: KMail displays title in link not href FIXED-IN: 4.10.2 always shows url and not title M +0 -4 messageviewer/viewer_p.cpp http://commits.kde.org/kdepim/d598e27a603cce276068898cf8d244f51b1003ce
Git commit a40573f3758643708da5051df438daf4704da678 by Montel Laurent. Committed on 20/03/2013 at 08:07. Pushed by mlaurent into branch 'master'. Implement scam detection. Now we have a warning when we detect that a message can be a scam. (for the moment we detect if an anchor has a title and it shows an url which is not the url define in href) We will improve it. M +9 -0 messageviewer/mailwebview.h M +15 -2 messageviewer/mailwebview_webkit.cpp M +17 -12 messageviewer/scamdetection/scamdetection.cpp M +3 -5 messageviewer/scamdetection/scamdetection.h M +5 -0 messageviewer/scamdetection/scamdetectionwarningwidget.cpp M +3 -0 messageviewer/scamdetection/scamdetectionwarningwidget.h M +1 -0 messageviewer/viewer_p.cpp M +4 -1 messageviewer/webkitparthtmlwriter.cpp http://commits.kde.org/kdepim/a40573f3758643708da5051df438daf4704da678
Thomas in 4.11 I created a scam detector. It's the beginning but I will add more check. Regards
(In reply to comment #9) > Thomas in 4.11 I created a scam detector. > It's the beginning but I will add more check. This is awesome. More than I had asked for :)
Now we have a widget to inform that message is perhaps a scam message. I will investigate more rules to check them. Regards
Hey, that's really cool! Thank you! But please check out bug #324103 as this could lead to misunderstandings by people not being aware of technical details.