Alt-text and phishing warnings

For a long time one of the “best practices” for links in html content has been to avoid having anything that looks like a URL or hostname in the visible content of the link, as ISP phishing filters are very, very suspicious of links that seem to mislead recipients about where the link goes to. They’re a very common pattern in phishing emails.

/* This is bad: */
<a href="http://google.com/">http://yahoo.com/</a>

/* This is bad too: */
<a href="http://google.com/">yahoo.com</a>

/* This is OK: */
<a href="http://google.com/">Yahoo</a>

/* This is risky: */
<a href="http://google.com/">google.com</a>

(The code block is mangled, because WordPress is just terrible software, but I hope you get the idea.)

Why is that last one risky? It’s OK, and not misleading as you write it but if your ESP uses click-tracking then they’ll rewrite the link as they send it, to redirect through their systems. And that looks very suspicous.

/* And this looks really phishy: */
<a href="http://redirector.esp.com/google.com">google.com</a>

I hadn’t really thought about the implications of this when it came to images, though. An image doesn’t really have any text associated with it, at least not in a way that a phishing filter has easy access to, so shouldn’t be a problem.

Except they do, of course. The alt text that you add to the image to make it accessible to screen readers, and to provide some visible content when the recipient isn’t loading images.

I signed up for an account today, and the address confirmation email had a call to action button that looked like this:

<a href="https://u6979756.ct.sendgrid.net/wf/click?upn=...">
  <img alt="https://app.cosmicjs.com/verify-email?code=..."
       src="https://cosmic-s3..../>
</a>

I’m sure the alt text for the image was the URL it was originally linked to, but sendgrid’s image tracking stomped all over it.

And Thunderbird noticed, and did this when I went to click on it:

So don’t put anything that looks like a url or a hostname as part of the content of a link, not even as image alt text.

Related Posts

2018 JD Falk Award … a mailing list

It’s M3AAWG time. Even though we’re not there, I’m getting regular updates from friends and colleagues who are there. Yesterday, was the presentation of the 2018 JD Falk award. The award recognises “a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” In this case, the award went to a group of people on the “BEC mailing list.”

Read More

Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Read More

Thinking about filters

Much of the current deliverability advice focuses on a few key ideas:

Read More