Alt-text and phishing warnings

For a long time one of the “best practices” for links in html content has been to avoid having anything that looks like a URL or hostname in the visible content of the link, as ISP phishing filters are very, very suspicious of links that seem to mislead recipients about where the link goes to. They’re a very common pattern in phishing emails.

/* This is bad: */
<a href="http://google.com/">http://yahoo.com/</a>

/* This is bad too: */
<a href="http://google.com/">yahoo.com</a>

/* This is OK: */
<a href="http://google.com/">Yahoo</a>

/* This is risky: */
<a href="http://google.com/">google.com</a>

(The code block is mangled, because WordPress is just terrible software, but I hope you get the idea.)

Why is that last one risky? It’s OK, and not misleading as you write it but if your ESP uses click-tracking then they’ll rewrite the link as they send it, to redirect through their systems. And that looks very suspicous.

/* And this looks really phishy: */
<a href="http://redirector.esp.com/google.com">google.com</a>

I hadn’t really thought about the implications of this when it came to images, though. An image doesn’t really have any text associated with it, at least not in a way that a phishing filter has easy access to, so shouldn’t be a problem.

Except they do, of course. The alt text that you add to the image to make it accessible to screen readers, and to provide some visible content when the recipient isn’t loading images.

I signed up for an account today, and the address confirmation email had a call to action button that looked like this:

<a href="https://u6979756.ct.sendgrid.net/wf/click?upn=...">
  <img alt="https://app.cosmicjs.com/verify-email?code=..."
       src="https://cosmic-s3..../>
</a>

I’m sure the alt text for the image was the URL it was originally linked to, but sendgrid’s image tracking stomped all over it.

And Thunderbird noticed, and did this when I went to click on it:

So don’t put anything that looks like a url or a hostname as part of the content of a link, not even as image alt text.

Related Posts

Thinking about filters

Much of the current deliverability advice focuses on a few key ideas:

Read More

Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Read More

Company responsibility and compliance

I blogged a few times recently about Zoho and their issues with malicious actors abusing their platform. They asked me to post the following statement from their CEO Sridhar Vembu.

Read More