A bug report signaled me that KMail didn’t have Scam detection.

So I decided to implement it.
The phishing used several method that KMail try to detect:
  • some HTML email uses a title in href different from url ( for example : <a href=”http://phishing-website.fr/foo.html title=”http://mybank.com/”>hello it’s your bank </a>
  • url has a redirect url <a href=”http://mybank.com/?q=http://phishing-website.fr/foo.html>
  • html mail has a form
  • url uses directly IP
So when KMail detects it it shows a warning:
You can:
  • Show details (what KMail detected)
  • Move mail directly to trash (=> avoid to click on)
  • Confirm that it’s not a scam, we don’t want that warning is show all the time because  Scan detection shows false positive
  • Disable Scam detection for all.

You have details dialogbox too:

Trackback

11 comments untill now

  1. Raul Fernandes @ 2013-04-21 14:53

    Cool.
    One thing that you could add is if the email has a empty image.
    This is used to track if the user read the email or not.

  2. Awesome: this feature is woderful. Can I suggest some idea:
    - do something like blacklisted email adresses;
    - search the email for words that commonly appear in fishing.

  3. Your detailed explanation for the user seems to require a technical background to be interpreted. Is this intentionally?

  4. This is great news indeed, glad you added that feature!
    This is especially interesting for me, because I’m
    1) A usability consultant for KDE in my spare time
    2) A researcher in the field of “usable security”, with my research focus on – and here comes the kicker – users’ reactions to potentially dangerous (e.g. scam) online messages.
    So I have read a bit of literature about this topic ;)

    Here are some points that came to my mind immediately:
    - I agree with Robert that the detailed explanation would be of little use for average users since it mostly consists of technical terms . Here’s a suggestion for a – longer but probably better to understand for non-technical people – alternative message:
    “This email contains a link which points to a numerical IP address instead of a typical textual website address. This is often the case in scam emails”
    - The link to the details should ideally positioned near the warning message instead of near the actions, because users ask themselves why the message appeared when they read it, not when they have to make a decision. Plus, all the other buttons are actual reactions to the warning, whereas the details have to be seen _before_ choosing the appriopriate reacion, so it doesn’t really fit in with them.
    - Perhaps even more often than in the link title tag, the URL which the scammers want to make recipients believe the link is pointing to is in the link _text_ (between the and tags). So if you find a URL there which differs from the one in the href, it’s likely that you’re looking at a phishing or other scam mail.

    I’d be glad to provide further input and I could even evaluate the warnings in a scientific study at the university (in fact, we’ve already done studies quite similar to that).
    So if you’d like to cooperate with me/us, just send an email to the address I provided with this comment.

    Cheers,
    Thomas

  5. Hi Laurent
    As the reporter of https://bugs.kde.org/show_bug.cgi?id=307818 I’m of course very glad to see this post, and you have made an even bigger effort than I expected. Kudos for that.
    One small thing, which is perhaps the most simple, is if KMail now shows the actual href in the status bar when hovering a link, instead of the title?

  6. @Raul Fernandes: “One thing that you could add is if the email has a empty image.” they used an url on this image ?

    @Filippo: “blacklisted email adresses;” yes I will allow to create a filter to move it to trash directly
    “search the email for words that commonly appear in fishing.” we need a list of word for each language not sure if there is a database for it.

    @Robert: no we need to improve it :)

    @Thomas Pfeiffer: ““This email contains a link which points to a numerical IP address instead of a typical textual website address. This is often the case in scam emails”” thanks I will replace by it :)
    “The link to the details should ideally positioned near the warning message” will look at how to implement it
    “just send an email to the address I provided with this comment.” will do :)

    @Thomas Tanghus: hi :) yes of course it shows href in status bar it was the initial bug :) and it was fixed i,n 4.10.2

  7. For infos:
    - I improved text in details dialogbox
    - I added details buttons near warning message

    I searched how to implement correctly backlist email address.

  8. gronzo.granato @ 2013-04-22 13:41

    Concerning blacklisting/whitelisting: that was requested already for HTML-E-Mails – mentioned somewhere in another bug, but it looks it was never considered.
    Background: I want Plain Text as default, but for certain senders (especially newsletters) I would like to get HTML enabled automatically.
    So if you are on black/whitelisting scam it would be great to see this for HTML, too (if it is possible…)

  9. @gronzo: “backlist email” here it’s for moving it directly in trash (when we define that this emails send scam email we move it to trash.
    your requester is for see or not html version by default. It’s an other feature but yes will look at it.

  10. [...] – KDE 4.11: Herramienta de migración de datos de Nepomuk Fuente – Anuncio oficial GA_googleFillSlot("468x60_linuxadictos"); [...]

  11. [...] Más información – KDE 4.11: Herramienta de migración de datos de Nepomuk Fuente – Anuncio oficial [...]

Add your comment now