Alt-text and phishing warnings

For a long time one of the “best practices” for links in html content has been to avoid having anything that looks like a URL or hostname in the visible content of the link, as ISP phishing filters are very, very suspicious of links that seem to mislead recipients about where the link goes to. They’re a very common pattern in phishing emails.

/* This is bad: */
<a href="http://google.com/">http://yahoo.com/</a>

/* This is bad too: */
<a href="http://google.com/">yahoo.com</a>

/* This is OK: */
<a href="http://google.com/">Yahoo</a>

/* This is risky: */
<a href="http://google.com/">google.com</a>

(The code block is mangled, because WordPress is just terrible software, but I hope you get the idea.)

Why is that last one risky? It’s OK, and not misleading as you write it but if your ESP uses click-tracking then they’ll rewrite the link as they send it, to redirect through their systems. And that looks very suspicous.

/* And this looks really phishy: */
<a href="http://redirector.esp.com/google.com">google.com</a>

I hadn’t really thought about the implications of this when it came to images, though. An image doesn’t really have any text associated with it, at least not in a way that a phishing filter has easy access to, so shouldn’t be a problem.

Except they do, of course. The alt text that you add to the image to make it accessible to screen readers, and to provide some visible content when the recipient isn’t loading images.

I signed up for an account today, and the address confirmation email had a call to action button that looked like this:

<a href="https://u6979756.ct.sendgrid.net/wf/click?upn=...">
  <img alt="https://app.cosmicjs.com/verify-email?code=..."
       src="https://cosmic-s3..../>
</a>

I’m sure the alt text for the image was the URL it was originally linked to, but sendgrid’s image tracking stomped all over it.

And Thunderbird noticed, and did this when I went to click on it:

So don’t put anything that looks like a url or a hostname as part of the content of a link, not even as image alt text.

Click to rate this post!
[Total: 0 Average: 0]

Check Also

let’s-talk:-reputation

Let’s Talk: Reputation

The next 3 or 4 Let’s Talk sessions are going to be all about reputation. We’ll start with a general overview of reputation and identity, then move on to specific kinds of reputation (IP, domain, URL, content), then we’ll talk about how to create, maintain and repair reputation. Still working on the outline, but I’m pretty convinced this will be at least 3 sessions. Let’s…

>