Phishing protection

Phishing is a malicious attempt to gather private information, usually credentials (username and password) for login to sensitive sites (e.g., on-line banking) or other sensitive information (credit-card or social-security numbers).

See the following articles, depending on whether you are looking for protection when browsing websites or for e-mail messages:

1. Safe browsing (Firefox and SeaMonkey)
2. Junk Mail Controls (Thunderbird and SeaMonkey)

Scam warning

The implementation of the scam-detector feature remains incomplete [1]. It is based on a fixed set of rules which are triggered when specific patterns frequently seen in phishing e-mails are detected in a message. The scam detector shouldn't be confused with junk and spam filtering which is also offered in Thunderbird and SeaMonkey. The latter is capable of learning based on the messages flagged as junk by the user.

Trigger rules

Most importantly, the scam detector for e-mail is currently not linked to the phishing lists used for detecting malicious sites when browsing [2]. It is also not possible to white-list domains as non-forgery similar to the junk control system [3] The alert is triggered when:

• a message contains links with a numerical IP address like http://127.0.0.1/
• an HTML message contains links where the text over the link suggests a different target than the actual link underneath (e.g., the text you see shows https://secure-site.example.com/ whereas the underlying link indeed points to http://nasty-site.example.com/ which is disguised in this way).

No alert is triggered when:

• a simple text not resembling a web address is put over a link which in turn points to a phishing site (no check against a list),
• the title of a link (e.g., the text which shows up as a tooltip when hovering over a link) resembles a web address which points to a different domain than the link itself.

The alert is shown as an info bar and can be dismissed for the specific message using the "Ignore Warning" (Thunderbird) or "Not a Scam" (SeaMonkey) button. In any case, it is important to look at the status bar when hovering over a link as it will show the actual address where the link points to.

Caveats

Unfortunately, many newspaper-style messages and notices follow the pattern of tunneling links through some analytics server, usually to keep track of clicked links in such messages to get some statistics how frequently the link was clicked. Thus, if that server happens to be located in a different domain than the actual link target as indicated, the scam alert is triggered.

Disabling the scam warning

If you see too many false alerts with the e-mail messages you receive, one option is to disable the scam alert entirely. In Thunderbird, you can click "Disable scam detection for all messages" (missing in SeaMonkey's info bar). Note that this will suppress warnings for all future messages until reactivated.

The scam detector can be disabled or enabled with a checkbox "Tell me if the message I'm reading is a suspected e-mail scam" in

• Tools → Options → Security → E-mail Scams (Thunderbird)
• Edit → Preferences → Mail & Newsgroups → Junk & Suspect Mail (SeaMonkey)