On Fri, Feb 10, 2012 at 10:56 AM, Steven Bellovin <smb@cs.columbia.edu> wrote: You know, clickable objects in automated business communications are a standard practice, the larger the organization sending the message, the more complicated and annoying their standard e-mail template full of HTML eyecandy, the more clickable links to improve accessibility, and banks among the worst offenders. Those encourage phishing, because HTML just provides way too many methods of faking a URL, or making a 'button' or 'link' go to somewhere else besides what is suggested by the e-mail text. All an e-mail user needs to do is click on one unknown link, to be quietly diverted to a fake website, that will then ask the user to "change" a password; it makes no difference whether the e-mail itself is about passwords or a security issue or not. Convincing the user to "log in" can be done while they are visiting the fake website. There are plenty of phishers that rely on convincing users to hit the 'reply' button and divulge sensitive info, with no clickable items in the message at all. But this particular item from RIPE here appears to be a plain text message... text/plain The message from RIPE is darn benign, and does not really encourage phishing moreso. When was the last time you saw a phishing attempt in a text/plain e-mail showing the name of a HTTPS location on the real organization's web site ? If sending out a web address "encourages phishers", then what are they supposed to provide to make sure maintainer users can easily and quickly change their password? RIPEs not encouraging phishing by sending such a message. MUA developers who included text/html MIME type support and support creating clickable objects in a HTML message have encouraged convincing phishing very much so. What RIPE did there is a perfectly example of what should be done. Send plain text e-mail with the URL location to review, no HTML doodads. They have no control of your e-mail client that for some reason perhaps turns a plaintext URL into something you can click.
I received the enclosed note, apparently from RIPE (and the headers check out). Why are you sending messages with clickable objects that I'm supposed to use to change my password?
-- -JH