[arin-ppml] Access to list of Number Resources with no valid POCs
jcurran at arin.net
Tue Aug 19 21:17:57 EDT 2014
On Aug 19, 2014, at 4:33 PM, Ted Mittelstaedt <tedm at ipinc.net> wrote:
> There is one issue that Martin didn't mention that might be the cause of the POC validation issues. To put it as simply as I can, the
> emails that ARIN sends out for POC validation look exactly like phishing
> I got one of those mails and I could hardly believe that one of the top Internet companies would actually send out an email that EMBEDDED A URL LINK in the mail message.
> I opened the message in a text editor to make sure the link was actually
> going to where it was supposed to go before clicking it.
> Your people should know better. How many spams a day do you get purporting to be from UPS/FedEX/BankofAmerica/IRS/etc. etc. etc. with
> embedded links in them and an enticing email message to try to get the
> people to click on the link (which of course immediately redirects them
> to a broken-into server) A lot, huh? So what on earth makes you think
> that your validation emails won't be regarded as phishes by the clueful
> people who get them - network admins?
> The only spamproof way of getting a proper email validation is to
> ask the recipient to REPLY then you parse the replies that come back
> Nobody who wrote this policy had thought that ARIN would ever resort
> to a tactic that is used by spammers and phishers and identity thieves
> thousands of times a day - which is to embed a clickable URL in the
> validation email message.
> It does not surprise me that some are complaining they missed the
> validation email.
We did get feedback from some folks that they do not click on URLs
embedded in email messages, and recently (2Q 2014) have added text
to the validation email to state that you can "reply" to the email
instead to validate (as well as the necessary back-end processing
for replies received.) This provides a safe option for those who
do not wish to click on a URL but still wish to validate their POC.
Note that many folks do presently click on the URL, as it is both
to an arin.net address and is visible with the same text as the
actual underlying URL. As you are well aware, emails of the phishing
variety almost always have URLs which purport one thing but refer
to some different underlying hyperlink.
Does providing the simple "reply" option as you suggest suffice,
or do you believe that email reply should be the only option, with
the present arin.net URLs stripped from the validation email?
President and CEO
More information about the ARIN-PPML