Unfortunately, this happens to a lot of newsletters and other email.
Needless to say, my newsletter isn’t scam, but seeing as how I do occasionally get this report, I thought it worthwhile to explain exactly what Thunderbird is doing. Other email programs may do something similar.
It’s also a good education on how some scams try to fool you.
The scam warning has always thrown too many false positives for my taste, so I’ll also show you how to turn it off in Thunderbird.
Become a Patron of Ask Leo! and go ad-free!
The fundamental issue is very, very simple. Hover over this link (or click, if you like; it’s safe):
The URL it links to is not the URL that is displayed. It could be trying to deceive you into clicking on what you see to get you to go somewhere else.
In other words, it could be a scam.
This is very easy to do in HTML. More traditionally, the link would be:
Which a) does not display a URL at all, but text, and b) is very clear about what to expect when you click.
Now let’s look at something a little more sinister:
You may think you’re clicking on a link to PayPal, but you’re not. If the page you land on looks like PayPal, you may not even notice.
You might get scammed.
Not all scams are easily detected, and not everything that’s detected is a scam. However, Thunderbird’s scam detection includes something like this simple rule:
- If the display text of a link “looks like” a URL that begins with http:// or https://
- and if the target of a link is also a URL that begins with http:// or https://
- then if the rest of the URL doesn’t match, it might be a scam.
The upshot is that:
would generate the warning (display text and destination are both URLs, but they are different), while
would not, because both display and destination are the same. Neither would:
because even though the display and destination are different, the displayed text is not a URL.
So why does the alert happen for a non-scam publication like my newsletter?
It’s due to a common tool used in legitimate newsletters and other mass email: click tracking.
I’ll continue to use my newsletter as an example. At the top, it includes the text:
View Online: https://newsletter.askleo.com/current-newsletter/
When the newsletter is sent, the destination of the link is automatically replaced with a different URL — a variation of “https://clicks.aweber.com/…”. Aweber is my newsletter mailing service, and “clicks.aweber.com” is the domain they use to count clicks.
When you click on the link that displays “https://newsletter.askleo.com/current-newsletter/” your browser is taken first to “http://clicks.aweber.com/…” where it simply counts the fact that you’ve clicked on that link, and then automatically forwards you to the intended destination — often faster than you’d ever notice.
But the display text and the destination encoded into the email a) are both URLs, and b) are different, so Thunderbird says, “This might be a scam.”
Even though it’s not.
Click tracking is an extremely common technique to see how popular things are. Understanding what people are clicking on is one of many ways I get a better understanding of what interests people, and how to make what we do more interesting and useful to you.
Disabling scam checking
Since it’s such a common technique, I find little value in having Thunderbird throw the warning for newsletters I’ve signed up for and know are not scams.
So I turn the feature off.
In Thunderbird, click the Edit menu,then the Preferences menu item, and in the resulting dialog, click the Security tab and then the E-mail Scams sub-tab.
Make sure “Tell me if the message I’m reading is a suspected email scam” is unchecked.
Other email programs may have similar settings to use if you’re seeing this warning too often.
Remember, too, that it is just a warning, not an absolute determination. It’s just an alert that you need to tread carefully — nothing more.
Subscribe to Confident Computing! Less frustration and more confidence, solutions, answers, and tips in your inbox every week.
I'll see you there!