Helping people with computers... one answer at a time.

Occasionally, security software examines links in email and alerts you if something is suspicious. Frequently, as in my newsletter, it's totally benign.

My email client, Thunderbird, thinks that your newsletters are a scam. I get an overall message with the email, plus a warning whenever I click on a link. This doesn't bother me, and no doubt I could fix it by setting something in the client, but it must be happening to others, and I thought you might want to know so you can fix whatever is triggering it.

Unfortunately, this happens to a lot of newsletters and other mailings. Needless to say my newsletter's no scam, but seeing as how I do run Thunderbird myself, and how I do occasionally get this report from folks, I thought it worthwhile to explain exactly what Thunderbird is doing, especially since other email programs may be doing something similar.

And it's a good education on how some scams try to fool you.

The scam warning has always thrown too many false positives for my taste, so I'll also show you how to turn it off in Thunderbird.

Thunderbird thinking Ask Leo! newsletter might be a scam.

The fundamental issue is very, very simple. Hover over this link (or click, if you like - it's safe):

The URL it links to is not the URL that is displayed. It might be trying to deceive you into clicking on what you see to get you to go somewhere else.

In other words, it might be a scam.

This is very easy to do in HTML. More commonly, the link would be:

Buy Leo Coffee!

Which a) is not displaying a URL at all, but text, and b) is very clear about what to expect when you click.

Now let's look at something a little more sinister:

You may think you're clicking on a link to Paypal, but you're not. If the page you land on, however looks like Paypal you may not even notice.

You might get scammed.

Now, not all scams can be easily detected, and not everything that's detected is a scam. However, Thunderbird's scam detection includes something like this simple rule:

  • If the display text of a link "looks like" a URL that begins with http://

  • and if the target of a link is also a URL that begins with http://

  • then if the rest of the URL doesn't match, it might be a scam.

The upshot is that:

would generate the warning (display text and destination are both URLs, but they are different), while

would not - both display and destination are the same. Neither would:

Since even though the display and destination are different, the displayed text is not a URL.

So why is it happening in a non-scam publication like my newsletter?

In fact, it's due to an extremely common and legitimate tool used in legitimate newsletters and other mass emailings: click tracking.

I'll continue to use my newsletter as an example. I occasionally include links, often from advertisers, that are complete URLs. For example: "" might be both the display text and the destination of an advertiser's link.

When the newsletter is sent, the destination of the link is automatically replaced with a different URL - something like "". Aweber is my newsletter mailing service, and "" is the domain they use to count clicks. When you click on the link that displays "" you're actually taken first to "" where it simply counts the fact that you've clicked on that link, and then automatically forwards you to the intended destination, often faster than you'd ever notice.

But the display text and the destination that are encoded into the email a) are both URLs, and b) are different - so Thunderbird says "this might be a scam".

Even though it's not.

It's an extremely common technique to see just how popular things are. Understanding what people are clicking on is one of many ways that I and my advertisers get a better understanding of exactly what it is that interests people, and how better to target what we do to be more interesting and useful to you.

Since it's such a common technique, I personally find little value in having Thunderbird throw the warning all the time, for newsletters that I've signed up for and that I know are not scams. Unfortunately, not all email programs let you "whitelist" or say "these emails are always good" when it comes to scam detecting.

So I turn the feature off.

In Thunderbird's Tools, Options, Privacy, E-mail Scams dialog:

Thunderbird scam warning option.

simply make sure that "Tell me if the message I'm reading is a suspected email scam" is unchecked.

Other email programs may have similar settings if you're seeing this warning too often.

Remember, too, that it is just a warning, not an absolute determination. With this feature enabled, which you may elect to do, it's just an alert that you need to tread carefully, nothing more.

And now you'll know what to look for.

Article C3758 - June 10, 2009 « »

Share this article with your friends:

Share this article on Facebook Tweet this article Email a link to this article
Leo Leo A. Notenboom has been playing with computers since he was required to take a programming class in 1976. An 18 year career as a programmer at Microsoft soon followed. After "retiring" in 2001, Leo started Ask Leo! in 2003 as a place for answers to common computer and technical questions. More about Leo.

Not what you needed?

Mark Jacobs
June 11, 2009 5:15 AM

I learned a lot from this post but I disagree with turning of the Phishing warning. For example, if you get a warning about an email from your bank or PayPal most likely it really is a phishing attack.I So, I suggest keeping the filter on and be aware that some newsletters might get flagged. Instead of signing up for newsletters, I put a bookmark on the bookmarks toolbar of the sites I check out regularly.

Carl R. Goodwin
June 16, 2009 6:30 PM

Ironically, I get this warning EVERY week, but ONLY with Leo's newsletter lol.

July 13, 2010 2:09 PM

Hey Leo, good post. I guess I am just hoping that all my opt-ins won't be using Thunderbird. I'd like to add that, putting a "Warning: If You Are Using Thunderbird" note on your Aweber Confirmation (right after signup) might be a good idea. Some people see "scam" and instantly freak, and I guarantee this will cause some lost sales. For those of us that have to cloak our affiliate links, or use tracking, there is no choice. Fortunately, I do not see any other email programs being so "tight" if you'll pardon my French.

October 19, 2010 3:31 AM

Hi everyone.
Thunderbird's scam filter engine is quite good, i think so. I have found that Thunderbird will filter the below case as "may be scam"
- HTML email
- There is at least a link with the link text begin with "http://..."
- The link about has its URL different from the link text.

For example:

If the link text doesn't begin with http, or the link is an image, is will pass the scam test.

Larry Jones
October 20, 2010 12:25 AM

I use T/Bird, and attempted to do as suggested, but found no privacy tab, after Tools>Options>???

Terry Hollett
October 20, 2010 8:54 AM

I think it's more important for people to learn to recognize such scams than having to rely upon any program (s) to protect you.

Glyn Duggan
October 26, 2010 12:28 PM

The answer to Larry's question: In Thunderbird 3.1.5 (ie the current one - you have upgraded, haven't you?), the button you want after 'Options' is 'Security', not 'Privacy'. HTH

Comments on this entry are closed.

If you have a question, start by using the search box up at the top of the page - there's a very good chance that your question has already been answered on Ask Leo!.

If you don't find your answer, head out to to ask your question.