Phishing protection: Difference between revisions

From MozillaZine Knowledge Base
Jump to navigationJump to search
(→‎Scam warning: copy-pasted content from the TB 5.0 article)
(→‎Scam warning: major rewrite with more specific information)
Line 7: Line 7:
===Scam warning===
===Scam warning===


The implementation of the scam feature remains incomplete [https://bugzilla.mozilla.org/show_bug.cgi?id=654502]. It is based on a fixed set of rules which are triggered when an HTML message contains links with either a numerical IP address or where the text over the link suggests a different target than the actual link underneath. Unfortunately, many newspaper-style messages and notices follow the latter pattern, usually to keep track of clicked links in such messages to get some statistics how frequently such a link was clicked. There is currently no way to white-list such links [https://bugzilla.mozilla.org/show_bug.cgi?id=320351], and no service similar to the Google-based phishing list Firefox is using has been established for Thunderbird [http://groups.google.com/group/tb-planning/browse_thread/thread/46da904ec70e5dee].
The implementation of the scam-detector feature remains incomplete [https://bugzilla.mozilla.org/show_bug.cgi?id=654502]. It is based on a fixed set of rules which are triggered when specific patterns frequently seen in phishing e-mails are detected in a message. The scam detector shouldn't be confused with junk and spam filtering which is also offered in Thunderbird and SeaMonkey. The latter is capable of learning based on the messages flagged as junk by the user.
 
===Trigger rules===
 
Most importantly, the scam detector for e-mail is currently ''not'' linked to the phishing lists used for detecting malicious sites when browsing [http://groups.google.com/group/tb-planning/browse_thread/thread/46da904ec70e5dee]. It is also not possible to white-list domains as non-forgery similar to the junk control system [https://bugzilla.mozilla.org/show_bug.cgi?id=320351]
The alert is triggered when:
* a message contains links with a numerical IP address like http://127.0.0.1/
* an HTML message contains links where the text over the link suggests a different target than the actual link underneath (e.g., the text you see shows https://secure-site.example.com/ whereas the underlying link indeed points to http://nasty-site.example.com/ which is disguised in this way).
No alert is triggered when:
* a simple text not resembling a web address is put over a link which in turn points to a phishing site (no check against a list),
* the title of a link (e.g., the text which shows up as a tooltip when hovering over a link) resembles a web address which points to a different domain than the link itself.  


{{Right-pic|Tb50scamWarning.png}}
{{Right-pic|Tb50scamWarning.png}}
A request to disable the feature by default for the time being has thus far been denied [https://bugzilla.mozilla.org/show_bug.cgi?id=623198], but as a workaround it has been made more apparent that the feature ''can'' be switched off. The scam warning now comes with a direct link which will disable the feature for this and all other messages [https://bugzilla.mozilla.org/show_bug.cgi?id=653103], thus it's easier to find when too many false positives are reported. To reactivate the scam warnings, check the respective box in the Security → E-mail Scams options.
The alert is shown as an info bar and can be dismissed for the specific message using the "Ignore Warning" ''(Thunderbird)'' or "Not a Scam" ''(SeaMonkey)'' button. In any case, it is important to '''look at the status bar''' when hovering over a link as it will show the ''actual'' address where the link points to.
 
===Caveats===
 
Unfortunately, many newspaper-style messages and notices follow the pattern of tunneling links through some analytics server, usually to keep track of clicked links in such messages to get some statistics how frequently the link was clicked. Thus, if that server happens to be located in a different domain than the actual link target as indicated, the scam alert is triggered.
 
===Disabling the scam warning===
If you see too many false alerts with the e-mail messages you receive, one option is to disable the scam alert entirely. In Thunderbird, you can click "Disable scam detection for all messages" ''(missing in SeaMonkey's info bar)''. Note that this will suppress warnings for ''all'' future messages until reactivated.


Note that, even though Thunderbird does not have an agreement yet with a phishing-list provider, right-clicking on a suspicious link in a message you received allows you to report that link as such to a provider [https://bugzilla.mozilla.org/show_bug.cgi?id=653798].
The scam detector can be disabled or enabled with a checkbox "Tell me if the message I'm reading is a suspected e-mail scam" in
* Tools → Options → Security → E-mail Scams ''(Thunderbird)''
* Edit → Preferences → Mail & Newsgroups →  Junk & Suspect Mail ''(SeaMonkey)''


[[Category:Privacy and security]]
[[Category:Privacy and security]]

Revision as of 21:59, 3 June 2013

Phishing is a malicious attempt to gather private information, usually credentials (username and password) for login to sensitive sites (e.g., on-line banking) or other sensitive information (credit-card or social-security numbers).

See the following articles, depending on whether you are looking for protection when browsing websites or for e-mail messages:

  1. Safe browsing (Firefox and SeaMonkey)
  2. Junk Mail Controls (Thunderbird and SeaMonkey)

Scam warning

The implementation of the scam-detector feature remains incomplete [1]. It is based on a fixed set of rules which are triggered when specific patterns frequently seen in phishing e-mails are detected in a message. The scam detector shouldn't be confused with junk and spam filtering which is also offered in Thunderbird and SeaMonkey. The latter is capable of learning based on the messages flagged as junk by the user.

Trigger rules

Most importantly, the scam detector for e-mail is currently not linked to the phishing lists used for detecting malicious sites when browsing [2]. It is also not possible to white-list domains as non-forgery similar to the junk control system [3] The alert is triggered when:

No alert is triggered when:

  • a simple text not resembling a web address is put over a link which in turn points to a phishing site (no check against a list),
  • the title of a link (e.g., the text which shows up as a tooltip when hovering over a link) resembles a web address which points to a different domain than the link itself.

The alert is shown as an info bar and can be dismissed for the specific message using the "Ignore Warning" (Thunderbird) or "Not a Scam" (SeaMonkey) button. In any case, it is important to look at the status bar when hovering over a link as it will show the actual address where the link points to.

Caveats

Unfortunately, many newspaper-style messages and notices follow the pattern of tunneling links through some analytics server, usually to keep track of clicked links in such messages to get some statistics how frequently the link was clicked. Thus, if that server happens to be located in a different domain than the actual link target as indicated, the scam alert is triggered.

Disabling the scam warning

If you see too many false alerts with the e-mail messages you receive, one option is to disable the scam alert entirely. In Thunderbird, you can click "Disable scam detection for all messages" (missing in SeaMonkey's info bar). Note that this will suppress warnings for all future messages until reactivated.

The scam detector can be disabled or enabled with a checkbox "Tell me if the message I'm reading is a suspected e-mail scam" in

  • Tools → Options → Security → E-mail Scams (Thunderbird)
  • Edit → Preferences → Mail & Newsgroups → Junk & Suspect Mail (SeaMonkey)