Phishing Warning for GRC signup email in ProtonMail

  • Be sure to checkout “Tips & Tricks”
    Dear Guest Visitor → Once you register and log-in:

    This forum does not automatically send notices of new content. So if, for example, you would like to be notified by mail when Steve posts an update to his blog (or of any other specific activity anywhere else), you need to tell the system what to “Watch” for you. Please checkout the “Tips & Tricks” page for details about that... and other tips!

    /Steve.
  • Larger Font Styles
    Guest:

    Just a quick heads-up that I've implemented larger font variants of our forum's light and dark page styles. You can select the style of your choice by scrolling to the footer of any page here. This might be more comfortable (it is for me) for those with high-resolution displays where the standard fonts, while permitting a lot of text to fit on the screen, might be uncomfortably small.

    (You can permanently dismiss this notification with the “X” at the upper right.)

    /Steve.

abstractconcept

New member
Feb 9, 2021
2
0
While signing up, I noticed that the signup "GRC Public Forums - Account confirmation required" email is marked as a possible phishing attempt by ProtonMail, which links to the following page: https://protonmail.com/blog/prevent-phishing-attacks/

The structure of the email HTML seems fairly innocuous, and is fairly simple (standard email clutter of odd whitespace, table formatting, and inline CSS aside):
table > table​
tr > td​
a - GRC Forums title​
tr > td​
p - in order to complete...​
p - confirm button​
tr > td​
div - Visit GRC Public Forums​

So I doubt the HTML itself is the issue. However, when I looked at the export from ProtonMail, I could not see a plain-text multipart section, and the HTML segment appeared to be base64 encoded entirely. If true, this could be what is tripping some filters; I have heard of spammers relying on HTML to mask the nature of their email, so I wonder if there are filters that see the use of HTML-only emails and/or base64 as attempted obfuscation. The multipart structure I see, is

Root: Content-Type: multipart/mixed
Content-Type: mulipart/related
Content-Type: text/html & Content-Transfer-Encoding: base64

A caveat: If I understand correctly, ProtonMail encrypts the contents of emails stored at-rest, so there is a chance that the lack of plain-text and base64 encoding could be the effects of ProtonMail's system, which only interoperates with its webmail, apps, and bridge program, not with email clients directly. If someone else could confirm what the raw email content looks like for them, I would be curious if you can this same multipart structure, or if you can see something else which might be

A privacy warning: If you are not sure what to look for in raw email data and share it here, please be careful about posting full email headers, these can sometimes contain your home/work IP address or your email address in multiple places; if you want to keep either of those private please look over the headers carefully.
 

pmikep

Well-known member
Dec 26, 2020
57
8
Perhaps a stupid question on my part, but if Proton is sending you messages warning that an email might be a phishing attempt, then doesn't that indicate that Proton is reading your mail? Which seems counter to what a private email provider should be doing.
 

abstractconcept

New member
Feb 9, 2021
2
0
Perhaps a stupid question on my part, but if Proton is sending you messages warning that an email might be a phishing attempt, then doesn't that indicate that Proton is reading your mail? Which seems counter to what a private email provider should be doing.

Most, if not all all, email providers scan emails as they come in for virus and spam potential, and to check via SPF/DKIM/DMARC if the server sending them was allowed to. Then they add some form of header to indicate whether or not the email is possibly dangerous. For example, this is what Thunderbird’s Trust junk mail headers set by: ___ option uses.

According to the Mail Servers section of their 2016 whitepaper, ProtonMail processes incoming mail with OpenDKIM, OpenDMARC, ClamAV, and SpamAssassin before encrypting it for delivery to the user. So at most, inbound unencrypted email stays unencrypted for only a moment longer, but I think this is probably necessary to let the spam/virus/phishing prevention systems work correctly. You could in theory push these checks onto the client (webapp, app, bridge), but I imagine that could leave the server more susceptible to DOS attacks, and decrease effectiveness, since the spam/virus/phishing prevention systems system are no longer looking at the original unmodified email as it was received.

Anyway, the phishing warning is then displayed by the client (webmail in my case) where it appears in between the To/From/Subject info and the body of the email. For an example, it looks like the domain authentication warning shown here, but with different text, and a different link. So it is not really a message being sent by ProtonMail, it is probably a flag added by the receiving SMTP server that the web client understands.

A further note on ProtonMail: Since PGP (which ProtonMail is built around) is not normally able to encrypt email headers, and ProtonMail warns that Subject lines and recipient/sender email addresses are not end-to-end encrypted, this means that headers are likely not encrypted. So since the spam/virus/phishing assessment is probably being stored as a header, ProtonMail could theoretically be able see which of your stored emails are potentially spam, but not what the body of those emails contains.
 
Last edited:

PHolder

Well-known member
Sep 16, 2020
550
2
268
Ontario, Canada
As far as I am concerned it is rarely (if ever) the correct response for a sender to alter the way they send content to make a receiver happy. If your mail server is potentially flagging or blocking messages as malicious when they are not, then you should address your issue to the mail server owner and not to the sender of the emails you receive.
 
  • Like
Reactions: hyperbole