Internet and e-mail policy and practice
including Notes on Internet E-mail


Click the comments link on any story to see comments or add your own.

Subscribe to this blog

RSS feed

Home :: Email

12 Jun 2005

Phish-proofing URLs in mail? Email

For those who've been living in an e-mail free cave for the past year, phishing has become a huge problem for banks. Every day I get dozens of urgent messages from a wide variety of banks telling me that I'd better confirm my account info pronto. Early bank phishes were pretty clumsy, but the crooks have gotten better at it and current phishes can look very authentic. See this archive of recent phishes at for some examples.

A very common trick is the fake link, in which the link you think you're clicking on isn't the one you're really clicking on, like this:

<a href=""></a>

The link looks like it's to, but really it's to a fake web site at

Several people have been floating proposals to extend authentication schemes to the URLs in a mail message. A sender might declare that all of links in its are to its own domain, e.g., if the sender is, all of the links have to be to or maybe Current path authentication schemes don't handle this, but it wouldn't be too hard to retrofit into SPF. Signature schemes wouldn't need any changes other than for the software that signs the mail to check the mail first and not sign it if it contains nasty stuff.

The hardest part of implementing this is for the banks to adjust the way that they send their mail. I get a fair amount of bank mail, notices that a credit card bill is available, confirming that I've made a change to an account, or that a deposit account has gone above or below a specifed amount. Remarkably few of those messages come from anywhere you might recognize. More often than not they come from a service bureau that handles the function for the bank, not from the bank itself. (I passed some of these messages around to experience spam-fighting friends, most of whom couldn't tell whether they were real. I'll post some of them here shortly.)

So the question is, is it worth the effort to make all of the senders and URLs match up? At this point, my feeling is probably not. If we're going to use message signatures, it doesn't matter what's in the message so long as you trust the signer.

posted at: 16:11 :: permanent link to this entry :: 0 comments
Stable link is


My other sites

Who is this guy?

Airline ticket info

Taughannock Networks

Other blogs

Domain Name Registration Data at the Crossroads
56 days ago

A keen grasp of the obvious
My high security debit card
522 days ago

Related sites

Coalition Against Unsolicited Commercial E-mail

Network Abuse Clearinghouse

© 2005-2018 John R. Levine.
CAN SPAM address harvesting notice: the operator of this website will not give, sell, or otherwise transfer addresses maintained by this website to any other party for the purposes of initiating, or enabling others to initiate, electronic mail messages.