Home page logo
/

nanog logo nanog mailing list archives

Re: Dear RIPE: Please don't encourage phishing
From: Jimmy Hess <mysidia () gmail com>
Date: Sat, 11 Feb 2012 18:10:03 -0600

On Fri, Feb 10, 2012 at 10:56 AM, Steven Bellovin <smb () cs columbia edu> wrote:

You know, clickable objects in automated business communications are a
standard practice,
the larger the organization sending the message,  the more complicated
and annoying their standard e-mail template full of HTML eyecandy, the
more clickable links   to improve accessibility,  and  banks among the
worst offenders.
Those encourage phishing,   because  HTML just provides way too many
methods of  faking a URL,  or making a 'button'  or 'link'  go to
somewhere else besides what is suggested by the e-mail text.

All an e-mail user needs to do is click on one unknown link,  to  be
quietly diverted to a fake website,  that will then ask the user to
"change" a password;   it makes no difference whether the e-mail
itself is  about passwords or  a security issue or not.
Convincing the user to "log in" can be done while they are visiting
the fake website.



There are plenty of phishers that rely on convincing users to hit the
'reply' button and divulge sensitive info,  with no  clickable items
in the message  at all.

But this particular item from RIPE here appears to be a plain text message...
text/plain

The message from RIPE is darn benign, and does not really encourage
phishing moreso.
When was the last time you saw a phishing attempt in a  text/plain
e-mail showing the name of  a HTTPS location
on  the real organization's web site ?

If sending out a web address "encourages phishers",  then what are
they supposed to provide to make  sure maintainer users  can easily
and quickly change their password?

RIPEs not encouraging phishing by sending such a message.   MUA
developers who  included   text/html     MIME type support and support
creating clickable objects in a HTML message  have encouraged
convincing phishing  very much so.


What RIPE did there is a perfectly example of what should be done.
Send plain text e-mail with the URL location to review,  no  HTML
doodads.

They have no control of your e-mail client  that for some reason
perhaps turns a plaintext URL into something you can click.

I received the enclosed note, apparently from RIPE (and the headers check out).
Why are you sending messages with clickable objects that I'm supposed to use to
change my password?



--
-JH


  By Date           By Thread  

Current thread:
[ Nmap | Sec Tools | Mailing Lists | Site News | About/Contact | Advertising | Privacy ]