On 2025-10-10 at 04:50:40 UTC-0400 (Fri, 10 Oct 2025 09:50:40 +0100)
Tim Bray via mailop <[email protected]>
is rumored to have said:
Hi,
I've been wondering about how email clients could change to make
phishing less effective.
1) Display the email address not the name in your email folders
From: DVLA Services <[email protected]
<mailto:[email protected]>>
becomes
From:[email protected] <mailto:[email protected]>
So, on a normal day, you would get used to seeing emails from
`[email protected]` rather than `Tim Bray`
I'd be happy with them just returning to the old norm of showing the
whole unmodified From header. After all, the "display name" part should
be displayed. It just shouldn't be the only thing displayed.
I like how MailMate (a macOS MUA) does it: display name in multi-message
listings, full From header shown when you open the message. If there's a
'@' in the display name, it is replaced with a skull emoji.
2) in html email, the a tag contents are replaced with the URL you
will go to.
so <a href='https://dvla.tax.scam.domain.example.org' style='button'>
Vehicle tax</a> becomeshttps://scam.example.org/
<https://scam.example.org/>
Again, I refer to MailMate: it shows target URLs on rollover and
highlights them with a bright red background if they do not match the
label of the <a> tag.
And any images inside an <a></a> are removed
I'm not sure that can fly. I am sure that it is workable to never load
remote images inside any email without explicit user action.
I'm sure the scammers will move on, but it's just so easy to make
something look convincing. Apple, Gmail, thunderbird, roundcube and
outlook. Just pick a day and all change.
Users can already choose better MUAs. No need for any "flag day," just a
rethinking of email security.
And because Microsoft will *always* choose badly when developing mail
software, someone needs to have the determination and funding to make a
MUA that doesn't suck, can replace Outlook, and isn't Outlook.
I'm open to comments and feedback. I'm interested if I've missed
an obvious other way hide stuff if you are scamming people.
I think the project of phishing deterrence in MUAs is part of a 30+ year
losing effort originally focused on fighting HTML. HTML was never the
right choice for enriching email, it was just the easiest choice, made
by people who should never have been tasked to write MUAs. In a sector
where cargo-cult UI/UX has dominated for decades, we've gotten MUAs that
religiously remake all the bad choices of MS and Netscape 30 years ago.
Most MUA developers do not respect their users enough to do anything
that might make some notionally legitimate email uglier, even if it is
required to provide users with needed information. The way to suppress
phishing is not going to be from pleading with incumbents who have
nothing to gain from doing the needed work. We need new people who
really understand email to be designing MUAs, not marketers.
Abolishing HTML mail isn't a rational goal, because people have become
used to having the ability to prettify email. I believe that all we can
do is encourage people to use better MUAs than they get for free from OS
vendors.
--
Bill Cole
[email protected] or [email protected]
(AKA @[email protected] and many *@billmail.scconsult.com
addresses)
Not Currently Available For Hire
_______________________________________________
mailop mailing list
[email protected]
https://list.mailop.org/listinfo/mailop
