Version: (using KDE KDE 3.2.2) Installed from: Mandrake RPMs OS: Linux I sometimes get spam emails with links such as: <a href="http://www.evilsite.com/steal-your-password.cgi">http://www.ebay.com/updateaccountdetails</a> Here, the link seems to point to ebay.com, but really points to another (password stealing) site. The effect can be quite convincing, especially if the user has KMail configured to display HTML messages. As far as I can think there are *no* legitimate reasons an email should contain this markup, and the user should be warned. At the moment the only a newbie user could realise this is a trick is by hovering over the link and looking at the URL in the bottom left, but they are unlikely to notice such details. I think when when link's text is a URL different to its target, the link should be displayed in a way warning the user the URL they're clicking on isn't the site they'd visiting. Perhaps a different color could be used for the link, or a warning message at the top of the email.
There is absolutely no need for a link to have the same value as the displayed text. We will definitely not filter out something which is valid html just because some spammers abuse this. As a result most of the links would be marked this way (<a href="http://www.myhome.com">Visit my home</a>) so the warning wouldn't make sense. Wontfix.
Carsten, I think the reporter meant only to color a thing like: <a href="http://www.fakesite.com">http://www.nofakesite.com</a> So when the link-text (http://www.nofakesite.com) != link-address(http://www.fakesite.com) No color is needed if the link-text is not an url.
Carsten Burghardt: You misunderstand what I am saying. I said: "link's text is a *URL* different to its target" Not, as you said: "a link to have the same value as the displayed text" Of course, giving a link text other than the target is fine, and you give a good example of where that can be used to enhance the readability of a message. But when the displayed text is a different *URL* the sender is misleading the user. So this is fine: <a href="http://www.myhome.com">Visit my home</a> This is not <a href="http://www.myhome.com">http://www.ebay.co.uk</a> Because the later is tricking the user. I am reopening because this was closed based on a misunderstanding. Hopefully I have been clearer this time.
Expressed in a psudo-dom this would be something like (I don't normally code in javascript etc, but it should show the point): //have an element a - the link if( isURL( a.innerHTML ) && (a.innerHTML != a.href) ) { //link is a trick! } note how I'm not just saying if(a.innerHTML != a.href)
> But when the displayed text is a different *URL* the sender is misleading > the user. What about this: <a href="http://www.myspamsite.com">www.nospamsite.com</a> Obviously different - but no valid URL.
On Wednesday 18 August 2004 13:27, Jim Higson wrote: > Of course, giving a link text other than the target is fine, Just like this? go to your <a href="http://fakesite.com">online banking account</a>
> go to your <a href="http://fakesite.com">online banking account</a> There is a bit of a difference: Spammers who employ this trick send out the barest HTML markup - no images, bold tags etc - so the message looks like plaintext. This is dangerous because when an email appears to be plaintext the user will not question if the link text is different from the target URL. At least if the link text is something like "online banking account" the user will not think the link was created by KMail from a plaintext URL. > What about this: > <a href="http://www.myspamsite.com">www.nospamsite.com</a> Ok, so instead of: "where the link text is a valid URL", We should say: "where the link text is something KMail treats as a URL in plaintext messages" So www.nospamsite.com would count, since KMail marks that up as a URL when it is recieved plaintext. (if you are reading this in KMail you'll see!)
By chance, I just got one of these emails, so I saved the html and put it up here: http://users.aber.ac.uk/jqh1/phish.html
Just for information, such a phishing mail detection routine has been proposed for Thunderbird. More information and a discussion can be found at Mozilla's Bugzilla: https://bugzilla.mozilla.org/show_bug.cgi?id=279191 Hopefully something similar will be implemented soon.
"Perhaps a different color could be used for the link, or a warning message at the top of the email." Only an advanced user would be likely to understand the significance of the different colour for the link; and such users probably don't fall for phishing scams anyway. Much better to have a warning message at the top (in the style of Thunderbird), or to pop up a warning message when the e-mail is displayed, or to pop up a warning message when the link is followed. Maybe it would be good too to have a page in the help file explaining in more detail what's going on, as an inexpert user might be quite unfamiliar with the whole area. I think this request is a good one, and would like to see it.
Since there will be a warning in most cases for HTML messages, maybe the normal warning could be adapted: "Note: This is an HTML message. For security reasons, only the raw HTML code is shown. If you trust the sender of this message then you can activate formatted HTML display for this message by clicking here. Futhermore, this email contains links to evilsite.com, which have been masked so they appear to be to ebay.com. It is likely this message is part of a "phishing" scam, and should be treated with caution. Especially, you <b>should not submit banking or personal</b> information after following links from this mail. For more information on such fraud please see (link)" Because a lot of people just scan the HTML warning, the second part should be especially highlighted. For people that have KMail set to use HTML without a warning, the warning should also appear at the top of the email when formatted HTML is displayed.
Hi, another scheme that is sometimes used by phishers is to encode some parts of the URL like this: http://register.ebay.com%62%6C%61%62%6C%61%31%32%33%3A%67%61%75%6E%65%72 ... instead of http://register.ebay.comblabla123:gauner@123.321.210.012:8000 I got some messages where the text was actually a picture which was linked to such an address. This method is quite dangerous because it even works with plain text mails. These addresses must also be flagged.
On Friday 04 February 2005 16:52, Gilles Schintgen wrote: > http://register.ebay.com%62%6C%61%62%6C%61%31%32%33%3A%67%61%75%6E%65%72 > ... instead of > http://register.ebay.comblabla123:gauner 123 321 210 012:8000 Somehow bugzilla crippled the second URL. Of course the "at" is missing and the dots in the IP address. Well, you get the point...
just the mails you got were crippled - the data is untouched
*** This bug has been confirmed by popular vote. ***
I think this is a necessary feature to stop kmail from falling behind other products in this area. A simple rule would be as follows: if (URL in the href != URL displayed) and (they don't differ merely by possession of http:// (default protocol)) then COMPLAIN! Complaints should be via a pop-up window with a dire warning when you click the link.
In order to avoid problems with encodings, and simplified URLs being displayed, maybe instead of the rule: URL in the href != URL displayed there should be the rule: domain within URL in the href != domain within URL displayed
> In order to avoid problems with encodings, and simplified URLs being > displayed, maybe instead of the rule: > URL in the href != URL displayed > there should be the rule: > domain within URL in the href != domain within URL displayed Also, subdomains should probably be ignored since "surfcore.co.uk" is a legitimate shortening of "http://www.surfcore.co.uk" (for example).
Maybe when clicking on a suspect link, a popup would appear asking "Do you really want to open page 'actual href address'?" The popup could have a title such as "Potentially harmful link!"
Thank you for your feature request. Kmail1 is currently unmaintained so we are closing all wishes. Please feel free to reopen a feature request for Kmail2 if it has not already been implemented. Thank you for your understanding.
Instead of creating a new feature request, please confirm here if the wishlist is still valid for kmail2.