SeaMonkey SCAM (vice Spam) Detection

[R.N. Folsom]

In deciding whether an email may be a Scam, does SeaMonkey check to see whether the email includes "a link to http://badsite.com with display text for the link as http://goodsite.com"? (That phrasing comes from GettinSadda, post 8 on the Wilders thread I link to below.)

I'm curious, because SeaMonkey correctly labeled a very well done phishing email as a Scam, and the scam did use the goodsite/badsite technique. Previously, I've noticed that SeaMonkey has a tendency to label any financial email as a scam, but that turns out to be a false positive --- the financial email is not a scam and does not involve malware. But the phishing email that SeaMonkey correctly labeled had nothing to do with finance, so I'm wondering if SeaMonkey likely had noticed the goodsite/badsite technique.

QUESTION BACKGROUND:
Last week I received two separate emails sent only seconds apart, with the subject line "Critical Update for Microsoft Outlook" (but the messages' main body included Outlook Express also) which allegedly came from Microsoft.com (according to the Normal headers). Each message had a SeaMonkey warning that the message could be a Scam (I forget the exact wording). When I looked at the "All headers," each message clearly came from elsewhere (different places for each).

The message cited Microsoft's kb910721, but that bulletin had been issued in December 2005, and had nothing to do with Outlook or Outlook Express (except that both of them are email programs). So I concluded that these messages clearly were phishing to put some malware on my computer, and I did not download the "critical update."

Initially I thought that Eset's NOD32 latest version (4.0.437) should have caught that message, but since the message itself was clean, that initial thought was wrong. But before I understood that, I started a thread on the Wilders NOD32 security forum, at
http://www.wilderssecurity.com/showthread.php?t=246250
(In that thread, my initial post includes an image of the actual phishing email, and an attachment that contains both email headers.)

According to the third post in that thread, the "Critical Update" turned out to contain a link to "a variant of Win32/Kryptik.TL" trojan.

So I appreciate SeaMonkey's warning. I'm just curious about how it decided to issue that warning --- luck, or by comparing display links and actual links.

Roger Folsom

[The.Purple.Hippo]

unfortunately, the Scam feature is NOT trainable. This is why a lot of people have turned it off. In the address bar type in about:config and look for this entry:

mail.phishing.detection.enabled

once found, double click on it and set it to false

[R.N. Folsom]

Purple.Hippo:

Thanks for that information; that setting was new to me. But I won't disable mail.phishing.detection. I don't mind getting the Scam warning about financial emails, because I think the warnings about non-financial Scams (and probably about true financial scams, although those get caught in my ISPs TMDA anti-spam filter) could be worthwhile. The warning about this particular scam definitely was worthwhile, given that its link would have installed "a variant of Win32/Kryptik.TL" trojan.

This scam got through that TMDA filter apparently because its fake "from" address of microsoft.com had been whitelisted. How that happened I know not, because I don't remember doing it or having any reason to do it myself.

However, I do remain curious about why and how the Scam feature detected this "Critical Update for Microsoft Outlook [/ Outlook Express]" Scam, which definitely is a (non-financial) Scam.

Incidentally, a private message from someone else invited my attention to a
ZDNet News and Blogs story about these scams: June 18th, 2009, "Fake Microsoft patches themed malware campaigns spreading," at http://blogs.zdnet.com/security/?p=3648.

Thanks again for inviting my attention to that mail.phishing.detection setting. And here's hoping that SeaMonkey 2.x will include Scam training.

Roger Folsom

[raj_bhaskar]

However, I do remain curious about why and how the Scam feature detected this "Critical Update for Microsoft Outlook [/ Outlook Express]" Scam, which definitely is a (non-financial) Scam.

How Thunderbird’s Scam Detection Works

This is about Thunderbird, but I believe that SM and TB use the same scam detection code.

[Johnfull]

There is no 'Email Scam' tab in Seamonkey to disable...

[The.Purple.Hippo]

There is no 'Email Scam' tab in Seamonkey to disable...

Thats because its talking about thunderbird, and not SeaMonkey. If you want to disable it, then follow the instructions I gave previously.

[Johnfull]

I'll just continue to ignore it, thank you.
It's nice to know that I'm not the only one who can't make it learn anything...

[R.N. Folsom]

However, I do remain curious about why and how the Scam feature detected this "Critical Update for Microsoft Outlook [/ Outlook Express]" Scam, which definitely is a (non-financial) Scam.

How Thunderbird’s Scam Detection Works
This is about Thunderbird, but I believe that SM and TB use the same scam detection code.

Raj_Bhaskar:

Agreed about SeaMonkey and Thunderbird using the same (untrainable) scam detection code.

And thanks also for the link. But it was written in 2005 or earlier. Nevertheless, its information appears to be useful. It said that for detecting scam email,

"Thunderbird looks at the following:
* Links that only use an IP address, including dotted decimal, octal, hex, dword, or some mixed encoding.
* Links that claim to go to one site, but actually go to another. (Phishers do this to fool you into going to their site. Legit mailing lists sometimes do this with redirectors for tracking purposes.)
* Forms embedded in the email. (This explains the LiveJournal notices.)
"It also appears to trap text URLs containing HTML-escaped characters, which explains the Spam Karma reports. In this case the report includes a spammer’s link with ​ in the hostname. The message is plain text, so Thunderbird leaves the entity as-is when displaying it…but decodes it when it creates the link. Result: a link where the text and URL don’t match."

In my case, I think that the second asterisked item above is what caused SeaMonkey to mark the fake "from microsoft.com" message that I received as a scam. So, in my initial message that started this thread, the answer to my first paragraph's question apparently is "Yes."

Thank you!

Roger Folsom

[sohel001]

SeaMonkey logo All of you probably know and many of you also use the excellent web browser ... to Google's server were not able to talk to users on other Jabber servers (and vice versa)I especially like the new phishing detection which makes Thunderbird even safer than it was, this time fighting scams.