Dear RIPE: Please don't encourage phishing
mysidia at gmail.com
Sun Feb 12 00:10:03 UTC 2012
On Fri, Feb 10, 2012 at 10:56 AM, Steven Bellovin <smb at cs.columbia.edu> wrote:
You know, clickable objects in automated business communications are a
the larger the organization sending the message, the more complicated
and annoying their standard e-mail template full of HTML eyecandy, the
more clickable links to improve accessibility, and banks among the
Those encourage phishing, because HTML just provides way too many
methods of faking a URL, or making a 'button' or 'link' go to
somewhere else besides what is suggested by the e-mail text.
All an e-mail user needs to do is click on one unknown link, to be
quietly diverted to a fake website, that will then ask the user to
"change" a password; it makes no difference whether the e-mail
itself is about passwords or a security issue or not.
Convincing the user to "log in" can be done while they are visiting
the fake website.
There are plenty of phishers that rely on convincing users to hit the
'reply' button and divulge sensitive info, with no clickable items
in the message at all.
But this particular item from RIPE here appears to be a plain text message...
The message from RIPE is darn benign, and does not really encourage
When was the last time you saw a phishing attempt in a text/plain
e-mail showing the name of a HTTPS location
on the real organization's web site ?
If sending out a web address "encourages phishers", then what are
they supposed to provide to make sure maintainer users can easily
and quickly change their password?
RIPEs not encouraging phishing by sending such a message. MUA
developers who included text/html MIME type support and support
creating clickable objects in a HTML message have encouraged
convincing phishing very much so.
What RIPE did there is a perfectly example of what should be done.
Send plain text e-mail with the URL location to review, no HTML
They have no control of your e-mail client that for some reason
perhaps turns a plaintext URL into something you can click.
> I received the enclosed note, apparently from RIPE (and the headers check out).
> Why are you sending messages with clickable objects that I'm supposed to use to
> change my password?
More information about the NANOG