Phishing protection

From MozillaZine Knowledge Base

Revision as of 22:12, 3 June 2013; view current revision
←Older revision | Newer revision→

Phishing is a malicious attempt to gather private information, usually credentials (username and password) for login to sensitive sites (e.g., on-line banking) or other sensitive information (credit-card or social-security numbers).


Phishing warning when browsing the web

(applies to Firefox and SeaMonkey)

The "Safe Browsing" feature compares each website visited against a list of reported web forgeries, and will prevent loading of such a page by default. This warning should be taken seriously, only proceed once you have verified that the web address you have entered is correct and trustworthy.

→ See Safe browsing for complete information on this feature.

Wrong or missed warnings

  • False alert: You can report a trustworthy page for which a warning was issued with a button in the info bar.
  • Missed site: To report a site that looks like a phishing site to you to the provider, use Help → Report Web Forgery from the menu.

Reports are verified by the provider before a change in the lists can be seen.

Scam warning for e-mails received

(applies to Thunderbird and SeaMonkey)

The implementation of the scam-detector feature remains incomplete [1]. It is based on a fixed set of rules which are triggered when specific patterns frequently seen in phishing e-mails are detected in a message. The scam detector shouldn't be confused with junk and spam filtering which is also offered in Thunderbird and SeaMonkey. The latter is capable of learning based on the messages flagged as junk by the user.

→ See Junk Mail Controls for information on the junk/spam-filtering feature.

Trigger rules

Most importantly, the scam detector for e-mail is currently not linked to the phishing lists used for detecting malicious sites when browsing [2]. It is also not possible to white-list domains as non-forgery similar to the junk control system [3] The alert is triggered when:

No alert is triggered when:

  • a simple text not resembling a web address is put over a link which in turn points to a phishing site (no check against a list),
  • the title of a link (e.g., the text which shows up as a tooltip when hovering over a link) resembles a web address which points to a different domain than the link itself.

The alert is shown as an info bar and can be dismissed for the specific message using the "Ignore Warning" (Thunderbird) or "Not a Scam" (SeaMonkey) button. In any case, it is important to look at the status bar when hovering over a link as it will show the actual address where the link points to.

Wrong or missed warnings

  • False alert: Dismissing the alert with the button in the info bar will not show it on this message again, but for any other messages even if they are coming from the same sender.
  • Suspicious link: To report a link that looks like a phishing site to you to the provider, right-click on that link in the message you received and select "Report E-mail Scam" (Thunderbird only).


Unfortunately, many newspaper-style messages and notices follow the pattern of tunneling links through some analytics server, usually to keep track of clicked links in such messages to get some statistics how frequently the link was clicked. Thus, if that server happens to be located in a different domain than the actual link target as indicated, the scam alert is triggered.

Disabling the scam warning

If you see too many false alerts with the e-mail messages you receive, one option is to disable the scam alert entirely. In Thunderbird, you can click "Disable scam detection for all messages" (missing in SeaMonkey's info bar). Note that this will suppress warnings for all future messages until reactivated.

The scam detector can be disabled or enabled with a checkbox "Tell me if the message I'm reading is a suspected e-mail scam" in

  • Tools → Options → Security → E-mail Scams (Thunderbird)
  • Edit → Preferences → Mail & Newsgroups → Junk & Suspect Mail (SeaMonkey)