I looked at the last one of these I got (that I saved) and it was
indeed text - but I could have sworn I got something from ARIN
recently with HTML mail that had an embedded URL. It might not
have been a POC validation but something else. And of course I
can't find the dang email right now.
Note that it's possible to define Courier font on an HTML
email and make it look like text - I've seen that trick done
by a spammer before. So even if ARIN is sending out text
with URLs in it, they should try to limit the types of emails
that contain links. Most especially never send out any emails
that link to a Login page on the ARIN website. That's the
trick phishers use to collect userID's and passwords for banks,
ya know.
The POC email addresses, being public, are harvest-able. It would
not take much for a spammer to duplicate a POC validation email
in Courier font as an HTML mail and send it out to all the POCs in the
whois database with a hidden link in it. Whether
it would be that successful in catching anyone with their pants
down is another story - those email addresses would be going to
the most suspicious people on the Internet.
I still think a simple Reply is the safest.
Ted
On 8/20/2014 12:20 PM, David Farmer wrote:
On 8/20/14, 13:08 , John Curran wrote:
On Aug 20, 2014, at 12:24 PM, Ted Mittelstaedt <[email protected]> wrote:
Hi John,
Embedded URLs are not really the problem - the problem is
MIME-encoded email and HTML-encoded email that have the embedded
URLs.
...
Ted -
Point taken (and I am a huge fan of plain text email :-)... I will
look into any downsides to this approach and report back to the list.
I went back and looked at the latest validation email I got Aug 1 for my
POC, quite timely for this discussion. As far as I can tell it is not a
HTML email, but plain text email with a plain text URL, quoted below is
the relevant portion depersonalized.
The following is your current POC Whois registration record. To
validate, please take one of the actions listed below. If no action is
taken within 60 days, your POC record will be marked invalid in ARIN's
Whois.
Your POC information in Whois is:
XXXXX
1) If the information above is correct, please confirm by visiting:
https://www.arin.net/public/pocValidation.xhtml?validationCode=XXXXXXXXXXX
Alternatively, you may confirm by replying to this email.
2) If the information is incorrect:
a) Log into your ARIN Online account (you can create an account by
going to www.arin.net and selecting 'new user' on the left)
...
I'll note that when I first look at it the reply to email option, was
hiding under the URL and didn't fully catch my attention. Might I
suggest a minor rewrite, enumerating the options for confirming and
adding "log into ARIN Online" as the first option, something more like
the following;
----
1) If the information above is correct, please confirm using one of the
following methods:
a) Log into your ARIN Online account and follow instructions there to
confirm;
b) Or, visit the following URL
https://www.arin.net/public/pocValidation.xhtml?validationCode=XXXXXXXXXXX
c) Or, reply to this email.
----
This would encourage the safest behavior, action that is completely
independent of the prompting email "log into ARIN Online". However,
still allowing less preferred, but probably more convenient, behavior of
clicking on a link or replying to the email.
Thanks.
_______________________________________________
PPML
You are receiving this message because you are subscribed to
the ARIN Public Policy Mailing List ([email protected]).
Unsubscribe or manage your mailing list subscription at:
http://lists.arin.net/mailman/listinfo/arin-ppml
Please contact [email protected] if you experience any issues.
