I blogged a while ago about Thunderbird’s phishing filter trapping a seemingly innnocent mail. Now, a reader has forwarded to me a genuine email from Citibank that he says was trapped by Thunderbird. I’m not going to reproduce the email here because it contains private details of the user, but it is a valid Citibank message.
Thunderbird thinks it’s a scam because Citibank uses one of the oldest phishing tricks in the book. The have a URL displayed in the message then when clicked goes to a totally different URL.
Sadly, this has proven to be really quite common. We’ve investigated using this rule as a worthwhile phish-detection rule in SpamAssassin, several times, and without much luck. In fact, we’ve had to create a FAQ entry for it — since it’s such a superficially-attractive but ultimately useless, idea, many people have had long discussions on our lists about it!
The companies that produce these false positives in their mails include American Express, Bed Bath & Beyond, Universal Studios, Microsoft, Hilton Hotels — and now Citibank.
A couple of other examples from real mails:
<a href="http://www65.americanexpress.com/clicktrk/Tracking? mid=MESSAGEID&msrc=ENG-ALERTS&url= https://www.americanexpress.com/estatement/?12345"> https://www.americanexpress.com/estatement/?12345</a> <A HREF="http://echo.epsilon.com/WebServices/EchoEngine/T.aspx?l=ID"> https://www.hilton.com/en/ww/email/tab_email_subscriptions.jhtml</A>
By the way, it really is quite impressive for a bank as heavily phished as Citibank to still be making this kind of basic mistake in their mail-outs! It reinforces a point I made in a mailing list posting recently:
As far as I can see, the approach taken by pretty much all banks to their online services is simply too bureaucratic, hide-bound, and fundamentally driven by their marketing departments, to ever cope effectively with phishing. :(
(For what it’s worth, I know Citi have some smart techies working there; but the rest of the company needs to start paying attention to them.)