As you know phishing attacks are common and more and more sophisticated.
No longer do emails come from Nigerian princes or from “Amazon” with spelling and grammar with pixelated company logos pasted in revealing it was written by a North Korean. But I think they all still have in common fake links in the body of the text that look legit (ie “Amazon.com/…etc.”) as if going to the supposed sender’s website but actually point to a pernicious url. Of course the sophisticated user will right click and see its fake but the vulnerable user or a sophisticated user who is in a hurry or sleep deprived will not
Also as you know the sender address looks like it’s coming from a real sender (eg joe@amazon.com) but right clicking shows it’s not (ie boris@thekgb.ru).
So my question is, in the future can SS spot and manage emails with spoofed links and then display a big red WARNING:DO NOT CLICK THIS or something?
SpamSieve does not have access to change the way messages are disabled in Mail. In any case, I think the proper way to handle such messages is to move them to Junk so that you aren’t in a position to click the links in the first place.
Yes, I certainly agree that is the best solution today, but what about messages that get past SS and wind up in the inbox? I’m only wondering if SS can compare the From: email address as it is seen on screen from the actual email address that is hiding behind the apparent email, and if there is that discrepancy alert the user or move that to Junk? And if SS evaluates the email content as I think it does, can it do the same for links that appear as one thing but really send the user someplace else?
What about them? If they get past SpamSieve, it thinks they’re good, so they should be in the inbox. Displaying warnings on certain links would be nice but is not technically possible.
I’d like to hear more about your boris example because I’m not really sure what you mean by that. There is not really such a thing as the “actual” e-mail address that sent a message.
Yes, but it’s common for legitimate messages to do this, too, especially with redirects and tracking URLs. Some of this could probably be untangled by loading the URLs to see where they end up, but usually I hear from users that they want to be protected from Web bugs.
Once in a while I’ll get a phishing attempt and when I do I’ll screen shoot what I’m trying inartfully to convey.
Periodically my university’s IT group sends out a phishing email to catch the unwary. When those click through the link they are taken to a gotcha url page as a warning. They snag me occasionally.
Of the examples that you sent in that thread, only one seemed to have a disguised URL (www.intuit.com going to t.co), and that isn’t why it got through SpamSieve. But, going with that example, what do you want to happen there? In the general case, t.co might be valid sister domain or analytics link. Do you want SpamSieve to assume that any non-matching URLs mean the message is spam no matter how good the rest of it looks? Not assume, but give it a slight demerit? Follow the redirects (thus maybe triggering a Web bug) to see where the link ends up?
The key point here is, I think, that spam has greatly evolved over the years. Nearly all of the spam I get nowadays, dozens per day, is highly sophisticated phishing, where AI has been used to make the email look really convincing, and the sole clue is that the main link you’re being asked to click in the email goes to some evil location.
But that clue is decisive. Therefore, I propose, SpamSieve has a duty (if at all possible) to detect this and mark the email as spam, because if it doesn’t, the risk remains that someone will click that link. If it isn’t really spam, the user can train it as good; but once the user has clicked on the link, gone to the very convincing web site, and given away the keys to the kingdom, the damage is done, as if SpamSieve had never existed.
Thus, the techniques used by SpamSieve in the past, looking for example at words and phrases in the email, are either ineffective or are of greatly diminished importance compared to this one fact, a fact which is obvious to the human eye and mind and therefore, if possible, should be made obvious to SpamSieve: links are important, and links that go somewhere skanky are overwhelmingly a sign of spam, no matter how non-spammy everything else about the email may seem.
Whether SpamSieve can rise to this challenge, I have no idea. Perhaps it would require the use of some new form of “intelligence”, different from the current Bayesian probabilistic analysis of the email’s contents in general.
Thank you for injecting this chain into the conversation. Your discussion is much more sophisticated than mine but essentially asks the same question, and your solution proposal seems correct and doable to me. It seems like the pushback is because it would require a significant change in the SS code and methodology, not just an update but a significantly different version. But I’m not a programmer or coder, just a user, so what do I know? Just that it seems to me that phishers are not the same as spammers and are therefore slipping through the SS net.
Do you mean in the manner of www.intuit.com going to t.co or just that there’s AI text and a bad link? My experience is that there tend to be clues beyond just the link (e.g. in the headers) and that SpamSieve has no trouble catching these messages. If you are finding otherwise, please report the uncaught spam messages as described here.
I would agree that if the link goes to a bad place that’s probably decisive. But I don’t think the display text not matching the URL is. There’s definitely useful information there, and I’m working on analyzing a large dataset to see how many spam vs. good messages do this and how SpamSieve can factor in this information. But I don’t think it’s safe to make a binary decision just looking at the link. For example, I would have assumed that an e-mail with a 1Password.co URL was spam, but it turns out that 1Password (not a spammer) actually does use that secondary domain for their tracking links.
The user may never see it, because many people don’t really review their spam mailboxes, and even then it can be hard to spot messages that shouldn’t be there. I view classifying a good message as spam as much worse than letting a spam message into the inbox. Most people seem to be really afraid of missing an important message. Of course, phishing is also a real danger. Maybe there should be a setting for people who want to prioritize that.
Would you be OK with SpamSieve loading links to see whether it thinks they are skanky?
He didn’t propose a solution. He essentially said that a message with a spammy link should be treated as spam, which is a restatement of the problem.
It’s not that; it’s that it sounds to me like jumping to a solution without considering the potentially dangerous consequences and without first establishing that the problem exists.
Would you want to see more phishing messages caught even if it might mean more good messages in the Junk mailbox? Would you want SpamSieve to do more deep analysis of the links even if it means sacrificing some privacy and letting spammers see that your e-mail address is valid?
I don’t mean to sound dismissive, but I’m accustomed to hearing from customers who very confidently tell me why a spam e-mail wasn’t caught, and 99% of the time the real reason was something else entirely.
More specifically, I am not seeing in actual data from customers that there is a particular problem with messages of the type you describe getting through. If you are seeing that, please follow the instructions here for reporting uncaught spam messages. Please flag the messages in the log, save a diagnostic report, and attach the messages by dragging them out of the Log window. Then there will be something concrete to investigate.
I don’t have an example at the moment where a phishing link was obviously bad but SpamSieve didn’t catch the message as spam, because when that happens, I train SpamSieve and so it recognizes the general pattern of that email for the next time. I’ll try to remember to hang on to the next one that rolls around.
I don’t think “The user may never see it because many people don’t really review their spam mailboxes” is fair. You’re always telling people to review their spam mailboxes; it’s the user’s job to train false positives as good.
I don’t think “Would you be OK with SpamSieve loading links” is fair either. I don’t know how to solve the problem, and I’m not a safety expert; I have no idea whether that might be a bad thing for SpamSieve to do. Personally I can usually tell the link is bad just by looking at what the link is, which is why I find it hard to believe that a machine can’t learn to do that same — although a few days ago I had a really clever one where the spammers had found a way to hijack a very genuine-looking domain that was in fact “parked”.
Finally, I’d like to emphasize that it is not the current “me” that I’m worried about here. SpamSieve is generally working great for me right now; it’s catching dozens of spams per day. The problem user is someone like my 97-year-old mother, or a future “me” where I might not be so perspicuous. The spammers are getting much, much better at this game, and I’m getting worse at it.
I’m going to go back to being dormant now. I’m already really sorry I spoke up again. I’m just trying to be helpful but I always come out feeling like I’ve been beaten up.
It is, but the reality is that many users don’t do that. Some of them proudly tell me so—they’re so confident they’ll never have a problem. Others intend to but sometimes forget. Others do check but have trouble picking out the good message with all the noise. It’s surprisingly common (as is not training spam messages in the inbox). I’m trying to make sure these people have good experiences, too.
It was a serious question. It’s fine if you have no opinion, but I assure you that many non-experts have very strong opinions on this. I’m not really bothered, personally, but there are others who would probably be horrified if this happened without opt-in.
I think this may be part of the disconnect. I’m not saying it can’t be learned, and I know there are databases, but I am nowhere close to even trusting myself to do this just by looking. I just did a search of some disguised URLs in my own mail and quickly made mistakes in both directions. Maybe I’m misunderstanding your claim. Do you mean that given a URL you can tell whether it’s bad? Or are you saying that you don’t have an answer for some URLs but that there are others you can be sure are bad?
Even your example from the other thread is not obvious to me. t.co is a mainstream URL shortener/tracker, so I don’t think a URL that links there is necessarily spammy. I would not be surprised if Twitter at one time actually sent e-mails where the displayed link used the real domain but the actual link was a t.co URL. The other wrinkle is that in theory Twitter will figure out that a URL is dangerous and kill the redirect so, long-term, a given t.co URL should become safe.
Thanks for clarifying. I was confused because your post made this sound like a huge problem, but you had only ever reported the one message like that. I agree that it should be investigated even if it isn’t a problem for you today.
I’m sorry—that was certainly not my intent. I was trying to ask clarifying questions because I know you have both strong opinions and a strong technical background. I’m not asking you for a solution, but it sounded like you thought this problem was much simpler than I do so I was trying to explore the space and see what I might be missing.
I’m going to let this topic rest as well, except to echo mattn in saying that stories of users, typically but not always elderly ones, are frequently the victims of phishing attacks. It also happens to large enterprises with catastrophic results. It was just a suggestion that SpamSieve might in one future version upgrade explore the opportunity to catch these.
I have great respect for companies like c-command that make great products that address real user problems, that your updates and upgrades come out frequently, and that you maintain this forum with great patience to being asked the same questions over and over.
Thank you. You don’t have to convince me that phishing is bad. I’m just trying to be up front with you that your specific suggestion (a big red warning) is not going to happen because Apple Mail does not allow that sort of access. So your efforts are better spent asking Apple to allow Mail extensions to control how messages are displayed.
Of course, there’s more that can be done, but from my perspective SpamSieve is already doing a lot to catch these messages. I take from your posts that you think SpamSieve is ignoring “the opportunity” and that as a result messages are “slipping through.” So I hope that you will take my suggestion above to report these messages. Or if, like mattn, your concern is more theoretical, please clarify that.
My overall take is that no protection is ever 100%, so if phishing is potentially catastrophic the real solution is training people not to do risky things like click a link and enter their information into a form. Best practices are that if you get a phone call from someone asking for your account number or other private information, you don’t try to assess whether they are who they say they are. Rather, you assume that they are untrustworthy and only provide such information when you have initiated the communication, e.g. by calling the number on the back of your card. It should be the same way with e-mail. I think assessing whether a link or site is real is harder than it seems. Just clicking a link is not dangerous. But if you are entering information, this should only be done when you (or your password manager or bookmark) has entered a trusted URL.