Alt-text and phishing warnings

For a long time one of the “best practices” for links in html content has been to avoid having anything that looks like a URL or hostname in the visible content of the link, as ISP phishing filters are very, very suspicious of links that seem to mislead recipients about where the link goes to. They’re a very common pattern in phishing emails.

/* This is bad: */
<a href="http://google.com/">http://yahoo.com/</a>

/* This is bad too: */
<a href="http://google.com/">yahoo.com</a>

/* This is OK: */
<a href="http://google.com/">Yahoo</a>

/* This is risky: */
<a href="http://google.com/">google.com</a>

(The code block is mangled, because WordPress is just terrible software, but I hope you get the idea.)

Why is that last one risky? It’s OK, and not misleading as you write it but if your ESP uses click-tracking then they’ll rewrite the link as they send it, to redirect through their systems. And that looks very suspicous.

/* And this looks really phishy: */
<a href="http://redirector.esp.com/google.com">google.com</a>

I hadn’t really thought about the implications of this when it came to images, though. An image doesn’t really have any text associated with it, at least not in a way that a phishing filter has easy access to, so shouldn’t be a problem.

Except they do, of course. The alt text that you add to the image to make it accessible to screen readers, and to provide some visible content when the recipient isn’t loading images.

I signed up for an account today, and the address confirmation email had a call to action button that looked like this:

<a href="https://u6979756.ct.sendgrid.net/wf/click?upn=...">
  <img alt="https://app.cosmicjs.com/verify-email?code=..."
       src="https://cosmic-s3..../>
</a>

I’m sure the alt text for the image was the URL it was originally linked to, but sendgrid’s image tracking stomped all over it.

And Thunderbird noticed, and did this when I went to click on it:

So don’t put anything that looks like a url or a hostname as part of the content of a link, not even as image alt text.

Related Posts

2018 JD Falk Award … a mailing list

It’s M3AAWG time. Even though we’re not there, I’m getting regular updates from friends and colleagues who are there. Yesterday, was the presentation of the 2018 JD Falk award. The award recognises “a particularly meritorious project undertaken by a dedicated individual or group reflecting the spirit of volunteerism and community building.” In this case, the award went to a group of people on the “BEC mailing list.”

Read More

Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Read More

What’s a suspicious domain?

The question came up on slack and I started bullet pointing what would make a domain suspicious. Seemed like a reasonable blog post. In no particular order, some features that make a domain suspicious to spam filters.

Read More