Questionnaire asking for PII sent with no way to verify CNCF source
Closed this issue · 4 comments
I received an email about a maintainers survey. The email contains a link to a non-CNCF site. The linked survey asks for my personally identifying information. There is no way for me to confirm if this email is phishing or not. Systems like this teach people (open source maintainers no less!) to click on random links and fill in their personal details.
Details:
- Potential phishing link in the email is [ASP is redacting so that it's still private to maintainers] -- a URL that anyone could have created
- Email sender information is easy to spoof
- There is no information on a CNCF controlled site (like this GitHub project) that would show the survey link is trustworthy
Potential fix:
- a redirect service on cncf.io so email could include a link like [ASP is redacting so that it's still private to maintainers] that would redirect to surveymonkey
- or if that's not possible, explain the issue in the email and provide a link to a CNCF controlled site that verifies the survey link validity
This went only to the maintainers list, was from me, and all messages to the maintainers lists are approved by CNCF staff personally.
So, while you may be correct, these are actively gated by CNCF staff.
Hope that helps!
Thanks for the response. I think we've both understood each other but just to make sure:
these are actively gated by CNCF staff
The question is how were the recipients to know that the questionnaire is legitimate? I believe the answer is that there was no way to tell the email apart from an actual phishing email, but I'm happy to be proven wrong.
If the point was that we're protected because only you know the email addresses of the maintainers... I think that's just not sufficient. It's not hard to figure out maintainers of cncf projects.
Check my headers?
Also check to make sure that it's coming from the maintainers lists at lists.cncf.io?
closing as not sure what we can do here, we only send this out to the CNCF maintainers lists