I just downloaded a trial copy of Norton Antivirus 2007 to install on a test machine. On the same box, I have Mozilla’s new Thunderbird 2.0 e-mail client installed. As part of the trial install, I had to create a Norton Account (not sure, but that might be a (TM)) with Symantec.
Symantec sent me an acknowledgment message via e-mail within minutes after I created the account. Thunderbird’s anti-phishing module wasn’t pleased:
I’ve been reasonably impressed with the performance and design of Thunderbird so far, but this sort of false positive is always troubling, no matter where it comes from.
Update: I’m surprised that this post drew so many comments so quickly. Here’s why I’m pointing this out: Mozilla and Google are tight, very tight. They collaborated extensively on the anti-phishing technology in Firefox. Google Mail (Gmail) even gets its own entry in the New Account Setup dialog box for Thunderbird.
So I would assume that mail coming into Thunderbird from my Gmail.com account should be the best possible candidate for the Mozilla/Google team to get right.
And in fact Google Mail does get it right. When I look at the message source, I see two headers added by Google: One shows the results from a Brightmail scan, which says the message is from a whitelisted domain. The other is an SPF header from Google, which is tagged PASS and says the IP address from which the message originated is a “permitted sender.”
Google has gone to a lot of trouble to screen all mail coming into a Gmail account as junk or suspicious. So why isn’t Mozilla able to piggyback on this analysis?
Update 2: For those who think I’m picking on Mozilla, note that I called Microsoft for an even sillier false positive about 18 months ago. And in both cases this behavior is the correct default. When in doubt, let me make the decision, exactly as Thunderbird has done here. But the algorithm really should be better than this.
Ed Bott (@ wordpress.com) 
Ed –
I also have Thunderbird 2.0 and so far have found it to be a huge improvement over Outlook Express.
I find your comment puzzling …. wouldn’t you rather get the odd ‘false alarm’ rather than have scam email slip through? I mean, software can only do so much, you stil lhave to use the old noggin.
Don, in my opinion, false positives are worse than false negatives, especially when it comes to e-mail and applications. I don’t want an AV scanner to disable a legitimate program (as Trend Micro did last year) because it mistakenly thinks it has a virus.
I have a multi-layered defense here and trust myself to identify a scam e-mail, but could suffer serious loss if a program decided to eliminate an e-mail without telling me. It does not inspire confidence if a security program (in this case, Mozilla’s anti-phishing module) can’t correctly identify an e-mail coming from the largest computer security company in the world.
It’s certainly not a deal-breaker, but it’s troubling.
Hi Ed –
Two more quick comments and then I’m going to leave this alone.
1) I took a look at the help file for Thunderbird and although I have not had an opportunity to put it to the test, it looks like you can tell TB that an email it thinks is a scam is legit. I don’t know if this is a ‘sticky’ setting ie: whether it will let the next email from the same address through without question.
2) If you insist on opening a suspect email TB will still let you do it, it just asks to make sure you really know what you are doing.
Can’t say that I saw anything about eliminating an email without telling you.
Thing is Ed, Thunderbird did not decide “to eliminate an e-mail without telling” you. It put up a warning – nothing more. If you trust yourself, then why do you have anti-phishing enabled in Thunderbird?
Have you looked at the structure of the Symantec emal in detail (header and such)? In the past I have received email from them for betas or corporate licensing that have been flagged by other anti-spam applications – usually because something doesn’t quite match-up upon closer inspection.
Vincent, that’s the default setting. I was never prompted to turn on anti-phishing. It did that without asking me.
And no, id didn’t delete the e-mail, but if I’m an inexperienced user, I see that and get confused. alse positives and false negatives are both bad because they make it difficult for the user to make rational trust decisions. Now the user thinks, wow, did I just give my personal information to a scam site?
Honestly, if an anti-phishing algorithm flags a legitimate e-mail from Symantec, one of the largest software companies in the world, as a possible scam, I begin to lose confidence in the underlying algorithm.
Ed: .. if you are playing around with replacements for OE/WLMD or that hog called Outlook you might also want to take a look at InScribe … it is the best 20.00 I ever spent IMO.
I have tried every version of TB at some point or another and have always walked away from it. With OE/WLMD I got really ticked at the difficulting in being able to backup/restore settings and data.
With InScribe it was just a simple matter of copying the base folder and contenets somewhere safe andthen copying it back .. simple – easy and it just works.
The author also has a port for both Mac and Linux
http://www.memecode.com/scribe.php
Andrew, yes I looked at the message headers. Google and Brightmail flagged it as legitimate, from a whitelisted source. It has a legitimate SPF header that Google passed as a “permitted sender.”
I just went to the site and had them send me another e-mail to the same account, but this time I received it via Windows Live Mail, which handled it correctly.
Steven, I’ll take a look at InScribe. Although you’ll be sorry to hear I really like Outlook. For this test I’m just trying out a bunch of non-Microsoft products to see how they work with Vista.
This may sound to stupid and/or simple but have you tried just sending yourself an email with text that says, “Congratulations!” to see if Thunderbird flags it?
Bill
Well, Bill, if the algorithm is that crude, Mozilla’s in trouble. Fortunately, it’s not. I sent a message with the same text from my personal domain to this Gmail account and it passed just fine.
Ed, that’s the product quality filter and not the phishing filter. Symantec software is a scam. Vista’s performance logs are throwing quite a few warnings about Symantec components causing long delays. Do you see those on your systems as well?
Dave,
Heh.
I installed only the Norton AntiVirus module and saw a small number of messages about delays. Nothing extreme and nothing that was unexpected. If you have some examples, feel free to send them to me privately. Thanks.
Dave, I’d love to hear / see more about Vista’s performance logs before and after Vista — do you have something published about this yet?
Ed,
You’re right that false positives are an issue and that Thunderbird should have correctly identified the message.
That being said, I think the bigger issue may be that you’re using Norton. Symantec’s corporate products are pretty good, but I’ve had terrible experiences with their consumer security products.
Carl, this installation of Norton is for testing purposes. I don’t use or recommend any Norton products on production machines, but lots of people use Norton products and I need to know about how they work. In this case, Norton was working just fine and the problem had nothing to do with Symantec’s software.
I just want to know:
How did you make the screenshot with the torned side (New Account setup)?
The torn edge effect comes from SnagIt.
Hi Ed,
I’ve been using TB for a long time, .9 or there about and don’t see your issue with the false positive.
I see it as overly careful, but not a problem. I can always change settings to allow it.
If you were expecting the email then you know it’s not a scam. Just change the setting to allow Symantec.
If I’m an inexperienced user and I’m expecting the email and it’s flagged as a scam, then as a reasonable person I should call the vendor to confirm the email. It might take a few more minutes, but better safe than sorry.
Lastly, it doesn’t matter that it came from Symantec, “one of the largest software companies in the world” because the phishers love to send spoofs from them, McAfee, Microsoft, etc. The bigger the better.
It gave you the choice to accept it or not, whether it passed your Gmail account or not. Someday Gmail will generate a false positive, I’ll be patiently waiting to read it here.
Ray
Ray, I think you miss my point.
Google used two very high-powered tools, Brightmail and SPF, to identify this message as legit. Why can’t TB use those same tools?
As for expecting this message, if I’m an unsophistcated user, I now fear that I was scammed at the earlier website, because of this bogus message. My clients call me with questions like this all the time. “I filled in a website and then I got this email but the program says it might be a scam.What should I do?” As a user, how do I know the email program is wrong and the web browser was right?
Sorry Ed, I see where you are coming from now. I overlooked that and looked at my solutions that I’ve used forever with TB and OutLook at work.
On another topic related to Norton & a previous blog post of yours, I ran into a second incident with a second client with Webroot Spy Sweeper not playing nice with Norton.
Thanks….Ray