Alt-text and phishing warnings

For a long time one of the “best practices” for links in html content has been to avoid having anything that looks like a URL or hostname in the visible content of the link, as ISP phishing filters are very, very suspicious of links that seem to mislead recipients about where the link goes to. They’re a very common pattern in phishing emails.

/* This is bad: */
<a href="http://google.com/">http://yahoo.com/</a>

/* This is bad too: */
<a href="http://google.com/">yahoo.com</a>

/* This is OK: */
<a href="http://google.com/">Yahoo</a>

/* This is risky: */
<a href="http://google.com/">google.com</a>

(The code block is mangled, because WordPress is just terrible software, but I hope you get the idea.)

Why is that last one risky? It’s OK, and not misleading as you write it but if your ESP uses click-tracking then they’ll rewrite the link as they send it, to redirect through their systems. And that looks very suspicous.

/* And this looks really phishy: */
<a href="http://redirector.esp.com/google.com">google.com</a>

I hadn’t really thought about the implications of this when it came to images, though. An image doesn’t really have any text associated with it, at least not in a way that a phishing filter has easy access to, so shouldn’t be a problem.

Except they do, of course. The alt text that you add to the image to make it accessible to screen readers, and to provide some visible content when the recipient isn’t loading images.

I signed up for an account today, and the address confirmation email had a call to action button that looked like this:

<a href="https://u6979756.ct.sendgrid.net/wf/click?upn=...">
  <img alt="https://app.cosmicjs.com/verify-email?code=..."
       src="https://cosmic-s3..../>
</a>

I’m sure the alt text for the image was the URL it was originally linked to, but sendgrid’s image tracking stomped all over it.

And Thunderbird noticed, and did this when I went to click on it:

So don’t put anything that looks like a url or a hostname as part of the content of a link, not even as image alt text.

Related Posts

Complaints, contacts and consequences

Yesterday the CRM system Zoho suffered an unexpected outage when their registrar, TierraNet suspended their domain. According to TechCrunch, Zoho’s CEO says there was no notification to the company and that the company had only 3 complaints about phishing.

Read More

Google Suspicious Link Warnings

A number of folks in the sender space are reporting intermittent “This link may be suspicious” warnings on their emails. I first heard about it a few weeks ago from some clients. One wasn’t sure what was going on, the other found a bunch of malware uploaded into their customer accounts.

Read More

Thinking about filters

Much of the current deliverability advice focuses on a few key ideas:

Read More