On 8/19/2014 6:17 PM, John Curran wrote:
On Aug 19, 2014, at 4:33 PM, Ted Mittelstaedt<[email protected]> wrote:
...
There is one issue that Martin didn't mention that might be the cause of the
POC validation issues. To put it as simply as I can, the
emails that ARIN sends out for POC validation look exactly like phishing
emails.
I got one of those mails and I could hardly believe that one of the top
Internet companies would actually send out an email that EMBEDDED A URL LINK in
the mail message.
I opened the message in a text editor to make sure the link was actually
going to where it was supposed to go before clicking it.
Your people should know better. How many spams a day do you get purporting to
be from UPS/FedEX/BankofAmerica/IRS/etc. etc. etc. with
embedded links in them and an enticing email message to try to get the
people to click on the link (which of course immediately redirects them
to a broken-into server) A lot, huh? So what on earth makes you think
that your validation emails won't be regarded as phishes by the clueful
people who get them - network admins?
The only spamproof way of getting a proper email validation is to
ask the recipient to REPLY then you parse the replies that come back
in.
Nobody who wrote this policy had thought that ARIN would ever resort
to a tactic that is used by spammers and phishers and identity thieves
thousands of times a day - which is to embed a clickable URL in the
validation email message.
It does not surprise me that some are complaining they missed the
validation email.
Ted -
We did get feedback from some folks that they do not click on URLs
embedded in email messages, and recently (2Q 2014) have added text
to the validation email to state that you can "reply" to the email
instead to validate (as well as the necessary back-end processing
for replies received.) This provides a safe option for those who
do not wish to click on a URL but still wish to validate their POC.
Note that many folks do presently click on the URL, as it is both
to an arin.net address and is visible with the same text as the
actual underlying URL. As you are well aware, emails of the phishing
variety almost always have URLs which purport one thing but refer
to some different underlying hyperlink.
Does providing the simple "reply" option as you suggest suffice,
or do you believe that email reply should be the only option, with
the present arin.net URLs stripped from the validation email?
Hi John,
Embedded URLs are not really the problem - the problem is
MIME-encoded email and HTML-encoded email that have the embedded
URLs.
If you are sending clickable URLs out in pure ASCII (text) emails then
there isn't any problem. The fact is that many email clients
when they see URL's in ASCII mail will make them "clickable" A
pure text email cannot hide a different URL behind one URL.
In an ideal world the URL would not exist in the email, because
including it helps to legitimize the practice.
But in practicality the most important thing is getting validation
that the email address is being read by a human being, and the embedded
URL does accomplish that. It may also be that the destination email
address is something like "[email protected]" and is being
forwarded to a recipient who's knee-jerk Reply would be to send the
reply with a different senders address than what you emailed to. (which
might complicate parsing the replies)
Since your getting significant returns on the clicks then you should
continue to use them - but my vote would be to ONLY use them in TEXT
emails.
I know that sending pure text emails is out of fashion - since that
precludes people putting in all kinds of fancy logos and formatting
which they believe are necessary to the continuation of the species -
but us old timers were formatting ASCII-only email since before most
of the young whippersnappers out there were in diapers. ;-)
Ted
Thanks!
/John
John Curran
President and CEO
ARIN
_______________________________________________
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
