• All submissions to this site are governed by Second Life Project Contribution Agreement. By submitting patches and other information using this site, you acknowledge that you have read, understood, and agreed to those terms.
MAINTENANCE ANNOUNCEMENT - JIRA will undergo maintenance starting 1:00am PDT through 3:00am on Saturday 2010.03.20. Please do not enter issues during this time as the system maybe restarted.
Issue Details (XML | Word | Printable)

Key: MISC-347
Type: New Feature New Feature
Status: In Progress In Progress
Priority: Nice to have Nice to have
Assignee: Yoz Linden
Reporter: Yumi Murakami
Votes: 17
Watchers: 1
Operations

If you were logged in you would be able to see more operations.
4. Second Life Misc Issues - MISC

Provide guidelines for authenticating e-mail claiming to be from Linden Lab

Created: 27/Jun/07 07:26 PM   Updated: 08/Aug/08 04:04 AM
Component/s: Miscellaneous
Affects Version/s: None
Fix Version/s: None

Time Tracking:
Issue & Sub-Tasks
Issue Only
Not Specified

Issue Links:
Relates

Linden Lab Issue ID: SL-48110

Sub-Tasks  All   Open   
1.
 Digitally sign all email messages from Linden Lab Sub-task Open Open Unassigned  
2.
 Provide means for emails to be encrypted with Resident's public key Sub-task Open Open Unassigned  
3.
 Included private information (only available to Linden Lab) in body of message Sub-task Open Open Unassigned  
4.
 Body of message must not include links outside of the secondlife.com or lindenlab.com domain. Sub-task Open Open Unassigned  

 Description  « Hide
Several residents are reporting recently receiving e-mails claiming to be from Linden Lab asking them to update billing information, but they have no way of establishing whether they are phishing e-mails or not. Since requests to update billing information are a classic phishing request, many may disregard these e-mails, running the risk of losing their accounts if they are genuine.

Please determine a set of guidelines that can be used to determine whether an e-mail claiming to be from Linden Lab is in fact genuine or not, publish these guidelines on the blog, and apply them in the future. The guidelines should be such that it is impossible for a non-Linden source to create e-mails that meet them. Some possible guidelines that could be used would be:

1: Include information in the e-mail that only Linden Labs would know. For example, an e-mail could include a user's avatar name and registered real name. Alternatively, the user could be asked to enter a "secret" in the My Account page or at sign-up time, and this secret would be reproduced in all e-mails sent by Linden Lab to them.
2: No e-mail should ask a user to visit a web page outside the secondlife.com domain. If it is necessary to link users to such a page then please create a link page to it on secondlife.com, then refer users to this link page in the e-mail.

 All   Comments   Work Log   Change History      Sort Order: Ascending order - Click to sort in descending order
[ Permlink | « Hide ]
Matthew Dowd added a comment - 28/Jun/07 03:43 AM
In addition, e-mails concerning accounts, passwords and/or billing should only be sent from Linden Lab e-mail accounts, and not from third party accounts.

Rather than linking to any webpage, users should be directed to the main secondlife.com front page and given directions from their (e.g. click on Accounts from www.secondlife.com


[ Permlink | « Hide ]
McCabe Maxsted added a comment - 04/Jul/07 08:36 PM
I'm updating this one to blocker as it could prevent people from accessing their accounts and result in linden theft.

[ Permlink | « Hide ]
Lindal Kidd added a comment - 09/Jul/07 06:56 PM
A similar situation occurs when creating a new account...my anti-phishing/anti-spyware notifies me that the security certificate belongs to a third party site (vresp.com) and issues a caution. Makes it look like the whole Second Life registration process has been hacked by scammers.

[ Permlink | « Hide ]
Torley Linden added a comment - 11/Jul/07 09:15 AM
These are good points. Thanks for taking the time to raise them here.

Already, I know Yoz Linden has contacted Vertical Response (the aforementioned vresp.com, which we do mass emails through) to clarify the authenticity of future sent emails. I'll import this and get Yoz's attention on it.


[ Permlink | « Hide ]
Yoz Linden added a comment - 12/Jul/07 06:12 PM
Linden Lab sent out another email today to select residents regarding the same issue - namely, requesting that recipients update their billing information. We hope that this email will set off the mental phishing filters of far fewer people. Here are a couple of the things we did this time that should make a difference:

1: Started the email by referencing the resident's avatar name. The combination of email and avatar name is (unless explicitly revealed by the resident elsewhere) only known by us.
2: Included several links in the HTML version of the mail, of which only the last (in a much smaller font, right at the bottom) points anywhere outside the secondlife.com domain.

Both of these actions were recommended by Yumi Murakami and others - thanks!

Unfortunately, one of the changes we weren't able to make was the email address specified in the From: header. This still uses the vresp.com domain, due to Vertical Response's own restrictions. If the feedback from this mailout shows that this is still a major issue, we'll pursue it more actively.

I'm not going to mark this issue "Resolved" yet, nor blog about it, because it's still in progress - the feedback from this mailout will give us much more information about what more is needed, or if we're already on target. If you receive one of these mails, do let me know what you think!


[ Permlink | « Hide ]
Celierra Darling added a comment - 12/Jul/07 11:46 PM
Linked to MISC-414, though I'm not sure which version of the e-mail it was...

[ Permlink | « Hide ]
Tammy Nowotny added a comment - 18/Nov/07 09:39 PM
Another useful thing which you guys at Linden Lab are pretty good about doing to establish the non-phishiness of your emails is to write everything in good English. For whatever reason, phishers and spammers are rarely if ever capable of writing even a few sentences of understandable and grammatically correct English prose, even though they have amazing technical skills and are very clever (in an evil way.)

[ Permlink | « Hide ]
stevenSDF Fisher added a comment - 19/Nov/07 03:46 PM
How about confirming what the email says on the account page, if the details need updating, send the email and also have the web site place a message on the user's account page on the site. If this doesn't happen already couldn't this also help?

[ Permlink | « Hide ]
ServMe Nakamura added a comment - 05/May/08 03:48 PM
Possible solution could also include having the e-mail containing a numeric code which is also listed on the SL account page for the avatar. If the codes don't match, the mail should be considered phishing.

Reasoning : while a scammer can fake a LL or Vertical Response mail, it's much harder to both fake the mail and the account page at the same time.


[ Permlink | « Hide ]
nya Linden added a comment - 06/Jun/08 12:32 PM
For now, using resident names, the SL logo, and making sure all links point to secondlife.com has seemed to mostly clear up questions about whether the email is official. Other suggested improvements would be nice to have, but aren't currently critical.

[ Permlink | « Hide ]
SignpostMarv Martin added a comment - 08/Aug/08 03:41 AM
issue description reads as feature request, not bug.


Powered by Atlassian JIRA the Professional Issue Tracker. (Enterprise Edition, Version: 3.13.2-#335) - Bug/feature request - Atlassian news - Contact Administrators