Determining Legitimacy of "Verify Your Account" Email

Get Help
,
1

We have a user who is repeatedly receiving “Verify Your Account” emails from no-reply@auth0user.net.

The verification link text is: https[://]coachereports[dot]us[dot]auth0[dot]com/u/email-verification?ticket=…

The actual verification link goes to:
https[://]u37752131[dot]ct[dot]sendgrid[dot]net/ls/click?upn=…

The text under the “Verify Your Account” button says:
If you are having any issues with your account, please don’t hesitate to contact us by replying to this mail.

Thanks!

The reply-to address on the email is just no-reply@auth0user[dot]net .

At the very bottom of the email, there’s the following text:
You’re receiving this email because you have an account in coachereports. If you are not sure why you’re receiving this, please contact us.

The user in question is familiar with COACHE Reports, but they don’t have any account with any website or application that they’re aware of. They merely receive these reports occasionally as part of their academic work.

I don’t see a website at coachreports[dot]us or elsewhere that would help me investigate any further.

I have no idea who to contact either at “coachereports” or at auth0 to determine the legitimacy of this message, who’s sending it, or why.

Any ideas?

Thanks.

P.S. Assuming these messages were initiated by auth0 and aren’t spoofed (I haven’t been able to review the raw headers yet), it’s very bad form for there to be no real indication of what application is triggering these messages and for there to be no actual way to contact someone. The only info we have is that the message came from auth0 and is allegedly on behalf of something calling itself “coachreports”.

People running applications/sites that use auth0 should be required to have a valid domain and contact email that’s included in every single email that auth0 sends on their behalf, and for the reply-to header to be set to that email address.

The messages we’re getting state “don’t hesitate to contact us” and “please contact us”, but there is zero method to contact or even positively identify the site / application that is triggering the emails, and there is zero method to contact auth0 to investigate the legitimacy of the messages or report potential spam/phishing.

1 Like
3

Hi @bw_bloodletter

Welcome to the Auth0 Community!

Thank you for reporting that to us! Can you or your user forward the email to the community@auth0.com? We’ll take a look at this.

Thanks
Dawid

4

Thanks for the response. I’ve reached out to the user to ask them to forward in the latest message they’ve received, as well as CC us on it. They’ve just done that, so we’ll work through the community@auth0.com address.

2 Likes
5

Hi @bw_bloodletter

I’ve responded to your email! In terms of the 2nd part of your initial thread, as a service provider Okta is just your’s data processor and has no direct access to raw end users’ data.

Thanks
Dawid

1 Like
6

Thanks.

We’ve reached to the organization you suggested, however we’re still not sure if the organization you pointed us to is the one initiating the emails or not. It is a known and trusted organization, and they are involved with COACHE reports, but so are many, many other institutions.

We’ll start there and if we can determine that they’re initiating the account verification requests, great. If they’re not initiating those requests, then we’ll need to instruct the user to ignore and delete them.

Regarding my other feedback, when a user is expecting to get those emails (when they setup or access an account), all is well and Auth0 / Otka being just a data processor is totally fine.

But when a user receives them, repeatedly and out of the blue, they look like phishing attempts. There’s no way for the user to determine if the request is legitimate, what account is being referenced (assuming such an account even exists), or even who/what is initiating the request. They are merely asked to click an obfuscated link.

Auth0 relays no registered contact info or application/service name. Auth0 doesn’t even provide contact info for Auth0 itself, despite the email telling users “If you are not sure why you’re receiving this, please contact us”.

Auth0 only includes a blurb of text that the initiator sets, which can include no meaningful information or malicious information. In this case, the included text said “please don’t hesitate to contact us by replying to this mail”, but of course that won’t work because the reply-to on the email is no-reply@auth0user[dot]net.

My suggestion would be for Auth0, at a minimum, to require a an application/site/service URL from initiators and to include that in the message (You’re receiving this email because you have an account in servicename (serviceURL).) and to register a contact email address for that service and specify it for the reply-to header (as opposed to no-reply@auth0user.net). Even if that info is completely bogus and unverified by Auth0, it gives recipients something unique to help determine if the request is legitimate or not. For example:, if the service URL or reply-to address have a domain of XYZ:

  • I set up my account at XYZ recently, so this is expected.
  • I don’t have an account at XYZ, I’m going to ignore this.
  • I do have an account at XYZ, but I don’t know why they’re sending me this, I’m going to XYZ directly to see if they’re saying my account / email address needs to be verified.
  • I have an account with XYZ, but I’m not sure about this request. The reply-to address is on the XYZ domain, so I’ll reach out and ask.
  • I have an account with XYZ, but I’m not sure about this request. The reply-to address is not on the XYZ domain and looks suspicious, so I’ll reach out to XYZ separately and ask.