IE7 Phishing Filter Update


Greetings! I’m Raghava Kashyapa, Program Manager for the Microsoft Phishing Filter technology in IE7. As you might already know – it is important to use the latest versions of IE7 to get the benefits of all the changes we have made over the past year since the release of the first public beta. 

We made improvements to the client based on feedback and want to ensure users use these new and improved builds of the browser.   The impact of these improvements means that older IE7 beta versions prior to IE7 Beta 2 (versions 7.0.5296.0 and older) will no longer work with the Phishing Filter Service. This primarily affects anyone who is still using IE7 Beta1 and the IE7 Beta 2 Preview.

If you’re running any of the affected old builds, you will notice a “phishing filter service is unavailable” icon on the bottom right corner of your browser window:

Recent builds, including all versions newer than IE7 Beta2 (build 7.0.5346.0 and upwards) will be unaffected. To get the most up to date improvements I would strongly encourage you to download and install the latest version of IE7.

Cheers,

Raghava Kashyapa
Program Manager

edit: adjusted attribute for screenshot to reflect “Title”

Comments (36)

  1. john says:

    Great, that’s really interesting…

  2. Gary says:

    The attribute you were looking for, when you hosted the screenshot, was "title"

    e.g.

    <img src="…" title="Phishing Filter Service Unavailable Dialog"…/>

    That said, out of curiosity, since most people on this blog are developers/designers of web sites/applications, do any of you turn this feature on?  It was one of the first that I turned off.

  3. Brad Bice says:

    I think Microsoft should consider re-naming the Phishing Filter. I have encountered many people who have asked "What’s phishing?"

  4. rc says:

    @ Brad Bice

    Fifteen years ago I used to encounter many people who have asked, "What is Internet?" Fortunately, Internet wasn’t renamed…

  5. Tino Zijdel says:

    Good thing you thought about adding a title to the image, but the fact that you set it on the alt-attribute (although setting an appropriate alt-attribute is actually a good idea, but then it should actually describe the image) once again shows that some people within the IE-team still have to learn a few things 😉

    First thing I would suggest is that IE7 should stop showing alt-attributes as tooltext.

  6. Geoff says:

    @Gary,

    Why is this even important? You, me, the IE Team, or other tech-savvy people may not need the Phishing Filter, since we can easily spot (read: know when a link will point to) a phishing site.

    But your average joe will not necessarily have the same knowledge.

    I don’t really seem what point you’re trying to make.

    @Brad

    That’s what the ‘what is’ help hyperlinks in various dialogs are for. What do you suggest they rename it to?

    @Tino

    Do you feel all high and mighty now you have ‘corrected’ one of the IE Team?

  7. ray says:

    I use the phishing filter, and it has actually done a good job so far, it has protected me from atleast 2 or 3 sites that attempted to do nasty stuff.

  8. Tino Zijdel says:

    Geoff: no, I don’t feel all high and mighty and if you read carefully you will notice the 😉 which says that it is just to be taken as an advice and not a really big deal. My suggestion that IE(7) should not show tooltips for alt-attributes is imo valid though.

    I see now that they have changed it but now there is no alt-attribute whatsoever.

    And talking about ‘correcting’ people from the IE-team; many people working mainly with IE as their platform learn the wrong things simply because IE gets it wrong. It’s not a matter of correcting but a matter of showing them how things should be done and hoping that that will one day reflect to IE itself making it a better browser. Unfortunately IE7 will not bring that day and given the (non)feedback on many of my and other people’s reports don’t give much hope for the near future either.

  9. Me Explorer 7 Beta 3 doens*t work

  10. TheViewMaster says:

    The IE7 "Phishing Filter" Wouldn’t Even Be Necessary If Microsoft & Others (e.g. eBay) WOULD ACT (Legally) AGAINST The "Phishers"!!!

    Currently, My Phishing Filter Is "DISABLED"!

    [Side Note: Have You Ever Tried To Report a Suspected "Phishing" Instance To eBay???

    http://pages.ebay.com/securitycenter/?ssPageName=home:f:f:US

    It’s RIDICULOUS!!!]

    :-(

  11. By now everybody should be running IE7 RC1, but just in case you&amp;#39;re not, you should know that the

  12. Dave says:

    Phishing filter does sound too geeky and considering that IE in other areas tries to make terms less techncal how did a term like phishing remain. A lot of people who’ve not encountered the term may just think that you’re really poor spellers.

    Firefox in version 2 will tell you of a ‘suspected web forgery’ rather than a suspected phishing site. Keep it friendly rename the phishing philter!

  13. Jacqueline says:

    I use the phishing filter too, it is a good idea

  14. Frank says:

    phishing site still "temporarely" unavailable in my IE RC1 version 7.0.5700.6

    some kind of problem updating from previous beta-releases?

  15. AlexGl [MSFT] says:

    @The View Master

    In addition to our work with the Phishing Filter in IE7, Microsoft is also working to stop phishing at the source by taking legal action against phishers, as part of our Global Phishing Enforcement Initiative. We discussed a conviction obtained through this effort in a previous blog entry:

    http://blogs.msdn.com/ie/archive/2006/06/22/643173.aspx

  16. jeff bonomo says:

    help me with this

  17. Dave Wrixon says:

    If it is such an issue then get the IE 7 rolled out on automatic update ASAP. Phishing affects IE 6 users as well and is not fundamentally an IDN problem.

  18. Tyler Reid says:

    I had this warning pop up on my browser even though i’m using RC1. For the record it no longer appears – but why did it do this if it’s only supposed to affect Beta 1 and 2 builds?

  19. Rod says:

    I cannot stand the way IE7, and Vista for that matter treats me as if it were the owner and I was some idiot child trespassing in their home.

    I have always kept my computer up to date and protected with 3rd party apps, Mcafee, and I far prefer that to the junk filters and crap firewalls you are providing.

    It decides that I cannot run java scripts even though I need them to run, it tells me it shuts down *.swf scripts and will not allow me to change the settings to allow the scripts to run.

    I want to make those decisions, I do not want my OS to hold me by the hand and treat me like a complete and useless scrud, I am not a Mac owner and can make decisions without you guys deciding for me.

  20. moonwalker says:

    I am developing a program called eJukebox in VB6 that uses the IE6/7 web browser control. I use custom window.status messages as a way to link/communicate between dynamically created content displayed in the embedded browser and the rest of my program. I think it is wrong for IE7 to disable scripting of the status bar messages by the default security settings.

    Don’t you think it would make sense to only enable this disabling ‘feature’ for internet content? I.E. make it allow status message scripting for content loaded in the browser control that is from a local path.

    If you can’t do that can someone please email me (daveieblog @ audiosoft dot net) with how to programmically update the security settings so eJukebox continues to work when they upgrade to IE7.

    VB6 programs should be able to receive StatusTextChange events from javascript window.status message changes created by HTML content hosted in the IE7 browser control. That is how it was in IE6. Disabling ‘Allow status bar updates via script’ for local content pretty much destroys my program and all my hard work.

  21. moonwalker says:

    "Allow status bar updates via script" should be Enabled by default! Too many programmers and web designers use the window.status event for real and useful purposes. To TAKE OUT functionality is wrong. You have the brightest programmers at Microsoft. So please use them to address the phishing problem and at the same time not totally disable window.status for everyone.

    There is no bad use for window.status except trying to hide the real url. So why not disable it from looping or showing a fake URL. Make it always show the real url in the tooltips if you want.

    Please update IE7 so non-looping…non-url…text status.message’s always trigger the browser control’s StatusTextChange event – at least when the URL in the browser is to a temporary internet folder file path location.

  22. Dave Wrixon says:

    There is no bad use for window.status except trying to hide the real url. So why not disable it from looping or showing a fake URL. Make it always show the real url in the tooltips if you want.

    By "real URL" do you mean punycode. Is every non-English speaker always going to be expected to communicate in machine code just because some English Programmers have some obscure isoteric alternative use for the Address Bar? The Phising Issue has always been largely a gripe of the English Community. The fact is that that most phishing attacks have been substantial undertaken to date in ASCII characters not Unicode. Why is America so Zenophobic?

  23. hAl says:

    A browser status bar is for showing the browser status information.

    Not really for application messaging.

  24. Dmitri says:

    IEBlog – IE7 Phishing Filter Update!

    Ping back from: http://hostbazar.info/?p=19