[Alpine-info] deceptive links (fictitious)

Andrew C Aitchison andrew at aitchison.me.uk
Thu Nov 10 09:18:29 PST 2022

Previous message: [Alpine-info] deceptive links (fictitious)
Next message: [Alpine-info] A couple feature requests
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

On Wed, 9 Nov 2022, David Morris wrote:

> In your example, the visual text serving as an anchor probably shows:

> www.comune.milano.it

> but your URL specifies:

> urldefense.com

> That generates a deceptive URL warning because the actual server is not

> the server shown to the user in the visible text. FWIW, the apparent

> 'real' URL is missing a slash.

>

> I don't know what urldefense.com is. So at the minimum, it is probably a

> tracker, may do what the name implies OR it might do a 'hidden' proxy that

> can then examine any private information sent in the response to the

> resulting web page.

It is an enterprise protection tool from proofpoint.
Every link starting with 'urldefense.proofpoint.com' is part of the TAP
system. This checks that websites are safe to visit, with no malware. If
the site is deemed safe by Proofpoint, your browser will redirect you to
the original URL web destination. If the site is hosting malware, TAP
will block users from accessing the malicious site.

For more details, please visit our website at www.proofpoint.com

I put
display-filters=urldefense.proofpoint script to strip out what profpoint added to the URL>
into my .pinerc

> Probably safe to copy out the embeded URL and paste than into your browser

> (and fix HTTP:/ to HTTP://)

>

> On Wed, 9 Nov 2022, Lucio Chiappetti wrote:

>

>> I have just received a mail message, which reports at top the indication:

>>

>> [The following HTML text may contain deceptive links. Carefully ]

>> [ note the destination URL before visiting any links.]

>>

>> The message comes from an official site (the municipal authorities of Milan,

>> it is the yearly notification of the garbage collection tax).

>>

>> This year (*) it is an HTML-only mail. It appears in alpine all underscored

>> (this I believe it is because of <em> tags in the source), and contains links

>> of the form

>>

>> https://urldefense.com/v3/__https:/www.comune.milano.it/fascicolo-del-

>> cittadino__;!!LQkDIss!SyDMKrF1ZGZ9NC-QEg5A3e_HMACAZ_wl0T0MsBG1UUGQPmUFWIPKcP

>> B7l8ZiEIplfPzZj3g2mkkAvrAlR6Sqj39R$

>>

>> (*) apparently even last year's message contined URLs of the same form, but

>> was sent as an ascii message with an "identical content" HTML attachment (the

>> version stored in my Fcc has the HTML stripped off, since I hate these

>> double-version e-mail).

>>

>> Anyhow I think there are no "deceptive links". All the rest is sender's fault.

>>

>>

>> --

>> Lucio Chiappetti

>> _______________________________________________

>> Alpine-info mailing list

>> Alpine-info at u.washington.edu

>> http://mailman12.u.washington.edu/mailman/listinfo/alpine-info

>>

>> ----------

>>

>> This email has been scanned for spam and viruses by Proofpoint Essentials.

>> Visit the following link to report this email as spam:

>> https://us3.proofpointessentials.com/index01.php?mod_id=11&mod_option=logitem&mail_id=1668031521-AhN2mMV7bbuk&r_address=dwm%40xpasc.com&report=1

>>

> _______________________________________________

> Alpine-info mailing list

> Alpine-info at u.washington.edu

> http://mailman12.u.washington.edu/mailman/listinfo/alpine-info

>

--
Andrew C. Aitchison Kendal, UK
andrew at aitchison.me.uk

Previous message: [Alpine-info] deceptive links (fictitious)
Next message: [Alpine-info] A couple feature requests
Messages sorted by: [ date ] [ thread ] [ subject ] [ author ]

More information about the Alpine-info mailing list