Δαφνη Ευτυχια Αρθουρος

"This girl I know was singled out once by the insane campus preacher as an example of how 'proper' women should dress. She was just walking by, wearing some long flowing dress. Upon being singled out, and without missing a beat, she took off the dress mid stride and continued on to class wearing nothing but tidywhities and combat boots.

"I'm told the preacher nearly had a heart attack."

-- dorsey, 2004-08-28

I'm about to hit the road to go get my nails done and drive down to Fairfax and set up sound for the Homespun Ceilidh Band gig tonight, and I'll likely be pretty much out of net-contact for the rest of the weekend (but hey, the comments will still be here when I'm back within reach). Before I go, I've got a question about the latest phishing spam I noticed in my mailbox...

Does this bit do what I think it does?

<a href="http://211.235.241.129/webscr/" 
   onMouseOver="window.status='https://www.paypal.com';return true;" 
   onMouseOut="window.status=' '; return true;">
   Click here to verify your Information</a>

It looks (to this reader who doesn't know Javascript) as though it'll make the little spot in the tool/widget-bar that normally displays the actual URL of a link when you mouse over it, display the link they want you to think you'd be going to instead of the one actually pointed to. Am I right? Does this work in most browsers (or, more importantly, HTML-aware mail apps) if Javascript is turned on?

'Cause if so, that's kind of icky. It means we can't just tell our stuck-with-dangerous-MUA friends and our insufficiently-net-savvy relatives to simply "make sure the tooltip URL and the displayed URL agree" to check for phishing. They really would have to go and view the source of each email message that includes links, and be patient enough (or have a sharp enough eye) to wade through the really fugly layout of the HTML code for most of these messages in order to spot this. Yuck. It's one thing for me to say, "Oh, that looks fishy but I'll open it anyhow; oh look, messy HTML, even more fishy; ah, there's the HREF, and looky at that, it points to a non-PayPal address." It's a whole 'nuther think to expect my mother to do it. (She can run rings around me in modern versions of Word Perfect, but she'd be lost diving into HTML source.)

Worse, someone I spoke to at a photo lab who was complaining about her computer setup discovered that if she turns off Javascript in her mail app, a whole lot of things she depends on break (apparently the MUA configuration and the browser configuration interact even though they give the appearance of being two separate programs ... I was confused, but then I use neither Outlook nor Internet Explorer and have no idea how they affect each other). Unfortunately, my ranting Yet Again about how [expletive]ed up it is to have MAIL CLIENTS [expletive]ing EXECUTE [expletive]ing UNTRUSTED CODE sent as [expletive]ed attachments, will a) take too much time and b) do nothing to solve this problem since idjits at various companies have already saddled users with that particular greivous error.

<voice tone="curmudgeon">Basically, nobody should be using those newfangled GUI Trojan horses disguised as mail programs, but that's easy for me to say because I don't like the user interface of any of them that I've seen so far anyhow.</voice>

If the above snippet of code does do what I think it does, and does it most places, then I guess the only sane approach for anyone who is stuck using a vulnerable MUA (i.e. one that executes Javascript) is: never click on a link in an email message, ever. (Remember that most worms these days will forge a return address from the infected machine's address book, which means there's a good change they'll look like they come from someone you know. If someone incorporates a phishing scheme into a worm -- I'm betting it's been done by now -- then even "only click links in mail from people you know" isn't safe.) Which pretty much makes the program's ability to make links clickable a wasted feature, but oh well.