Betterbird Blog

We've shipped Betterbird 140.9.0esr-bb20 today. Please refer to the Release Notes for full details.

Here are three important new features and changes:

We improved the "delayed sending" capability by making sure that a message which is scheduled for sending is in fact not sent once it's opened for further edits with "edit as new message".

Betterbird/Thunderbird allows to convert an e-mail message to a calendar event or task. The original message is linked to the event/task. However, that link wasn't reliably displayed. That was fixed and we added a button Open in Folder (see screenshot) that allows to go back to the original message.

Lastly, localised versions, like the German version, no longer include the standard Mozilla English US dictionary. We had users who expressed that they wanted to remove the dictionary, which wasn't possible. Also, it allows more flexibility in choosing an English dictionary. Here are some choices:

• The stock-standard Mozilla dictionary, which is rather basic.
• The English US dictionary maintained by Marco Pinto.
• The British English dictionary maintained by Marco Pinto which is the better choice for European use.

If you read the article about discontinuing the Revolut payment link, you will already have heard of credit card testing attacks: Fraudsters effect (small) payments to "merchants" to test the validity of stolen/leaked credit card details. As you can see in the picture, nine attempts were made within less than 40 minutes. All Revolut did was to block our account, they don't offer any mitigation tools.

As of March 2026 our Stripe payment USD link also came under attack. It started with small payments between $0.50 and $2, which we blocked, but later they increased to $5 to $20, and even payments of $100 or $1000 were "tested".

To mitigate the issue the following measures were taken on top of Stripe's so-called Radar which has its own heuristic for fraud detection:

• Small donations blocked
• Donations from Algeria blocked, there seems to be a nest of fraudsters
• Now requiring 3D Secure payments (when available)
• Stricter address checking
• USD payment replaced twice and all payment links now obfuscated (supplied via JS on page load or user click)
• Proactive refund of suspicious payments, since every dispute carries a fee of $20
• Last not least: The Link payment method was disabled, a Stripe invention, which makes these attacks faster for the fraudsters.

Unfortunately, Stripe's own mitigation isn't very good, in on case there were at least 8 failed tests from the same IP address within 33 minutes, and Stripe still allowed a subsequent payment from that IP address, which of course we refunded immediately to avoid a costly dispute:

On this topic, Stripe support made the following statement: Stripe is first and foremost a payments processor. We facilitate your interaction with the card networks and issuers, and we provide a PCI compliant way to do so. Payment processing is not the same as dedicated fraud protection. We do have safeguards against fraud, and we do try to weed out risky transactions without blocking legitimate charges - it's a pretty delicate balance. There's simply no algorithm that can replace the role of the merchant's manual review of orders. But even these powerful, dedicated solutions are not foolproof; the strongest, and best, line of defense is still manual review.

If your genuine donation in USD was declined, please get in touch and we'll find a different payment option. In a dialogue with a donor we found out that Bank of America generally allows outgoing ACH payments. For "regular" customers they charge a fee, it's free for customers with a "preferred status".

Strange what tasks arise in an open source project which aims at providing the world's best e-mail client.