[arin-ppml] Access to list of Number Resources with no valid POCs

Ted Mittelstaedt tedm at ipinc.net
Wed Aug 20 12:24:19 EDT 2014 


On 8/19/2014 6:17 PM, John Curran wrote:
> On Aug 19, 2014, at 4:33 PM, Ted Mittelstaedt<tedm at ipinc.net>  wrote:
>> ...
>> There is one issue that Martin didn't mention that might be the cause of the POC validation issues.  To put it as simply as I can, the
>> emails that ARIN sends out for POC validation look exactly like phishing
>> emails.
>>
>> I got one of those mails and I could hardly believe that one of the top Internet companies would actually send out an email that EMBEDDED A URL LINK in the mail message.
>>
>> I opened the message in a text editor to make sure the link was actually
>> going to where it was supposed to go before clicking it.
>>
>> Your people should know better.  How many spams a day do you get purporting to be from UPS/FedEX/BankofAmerica/IRS/etc. etc. etc. with
>> embedded links in them and an enticing email message to try to get the
>> people to click on the link (which of course immediately redirects them
>> to a broken-into server)  A lot, huh?  So what on earth makes you think
>> that your validation emails won't be regarded as phishes by the clueful
>> people who get them - network admins?
>>
>> The only spamproof way of getting a proper email validation is to
>> ask the recipient to REPLY then you parse the replies that come back
>> in.
>>
>> Nobody who wrote this policy had thought that ARIN would ever resort
>> to a tactic that is used by spammers and phishers and identity thieves
>> thousands of times a day - which is to embed a clickable URL in the
>> validation email message.
>>
>> It does not surprise me that some are complaining they missed the
>> validation email.
>
> Ted -
>
>    We did get feedback from some folks that they do not click on URLs
>    embedded in email messages, and recently (2Q 2014) have added text
>    to the validation email to state that you can "reply" to the email
>    instead to validate (as well as the necessary back-end processing
>    for replies received.)  This provides a safe option for those who
>    do not wish to click on a URL but still wish to validate their POC.
>
>    Note that many folks do presently click on the URL, as it is both
>    to an arin.net address and is visible with the same text as the
>    actual underlying URL. As you are well aware, emails of the phishing
>    variety almost always have URLs which purport one thing but refer
>    to some different underlying hyperlink.
>
>    Does providing the simple "reply" option as you suggest suffice,
>    or do you believe that email reply should be the only option, with
>    the present arin.net URLs stripped from the validation email?
>

Hi John,

   Embedded URLs are not really the problem - the problem is
MIME-encoded email and HTML-encoded email that have the embedded
URLs.

   If you are sending clickable URLs out in pure ASCII (text) emails then
there isn't any problem.  The fact is that many email clients
when they see URL's in ASCII mail will make them "clickable"  A
pure text email cannot hide a different URL behind one URL.

   In an ideal world the URL would not exist in the email, because 
including it helps to legitimize the practice.

   But in practicality the most important thing is getting validation
that the email address is being read by a human being, and the embedded
URL does accomplish that.  It may also be that the destination email
address is something like "hostmaster at example.com" and is being 
forwarded to a recipient who's knee-jerk Reply would be to send the
reply with a different senders address than what you emailed to. (which
might complicate parsing the replies)

   Since your getting significant returns on the clicks then you should
continue to use them - but my vote would be to ONLY use them in TEXT
emails.

   I know that sending pure text emails is out of fashion - since that
precludes people putting in all kinds of fancy logos and formatting 
which they believe are necessary to the continuation of the species -
but us old timers were formatting ASCII-only email since before most
of the young whippersnappers out there were in diapers. ;-)

Ted

> Thanks!
> /John
>
> John Curran
> President and CEO
> ARIN
>
>
>
>
>

More information about the ARIN-PPML mailing list