All,

I just submitted a suggestion I had for allowing users to verify emails from Blizzard by archiving them on a section withing the Battle.net account pages. Not sure if you think it's a decent idea or how the suggestions thing works, but if you do like it, I'd encourage you to comment on it on the forums.

The link is here (http://forums.worldofwarcraft.com/thread.html?topicId=24915353862&postId=249128822110&sid=1#0). A summary of the post is below:



Subject: Battle.net Correspondence Section

Place a section within the Battle.net Account manager that lists all account related emails that Blizzard has sent regarding the games attached to that Battle.net account. This would provide a safe method for users to validate that an email they received was in fact from Blizzard. This section would not need to include the Blizzard Insider, but should include promotional emails, such as those asking players to reactivate accounts, or any other message that a third party is likely to use in a phishing attempt. All emails sent from Blizzard should include text explaining that the user can log on to their Battle.net account to confirm the validity of the message. Messages should be kept for at least 60 days.

I voluntarily submit this suggestion to Blizzard Entertainment and grant them full use of it without limit.


- Souca -

Actually a sound and easily implemented idea.

That is a really good idea ^^

As a developer, I would agree this is an easily implemented solution.
I like it too.

How i understand your suggestion:

The theory is good, people can doublecheck. However i like to know how many people actually 'would ' doublecheck.

About easy implementable: that totally depends on their infrastructure. From my experience usually the front end (the site) is totally separated from the mailserver.

Who cares if it's seperated from the mail server? They're still networked together, even if they're not on the same machine. Besides that, to send an email, they're already pulling information out of the database for your account. All they should have to do, is add a table for recent "blue" emails to the database, and when they pull your email address, add an entry for the email they're sending. Then its a simple SQL query by the web server to pull the information and display it.

To even go one step further, my bank sends me emails saying "You have a message. Log in to your account to view it". Though, this may be a little over kill for a game.

Thanks for the feedback. I went ahead and bumped my own official thread since it had slipped down to page 8. I'd really like to see them do this, since there have been some emails I was never really sure about. Luckily they weren't ones I needed to respond to, so it was safer to just ignore them.

- Souca -

1 Stored proc would solve the problem ^^

I can just see if this gets implemented, all the phishing mails will have a link to "battle.net" for verifying the email.
Nothing that can be done about stupid people getting scammed i guess, but at least the suggestion would help us more cautious users know for sure about each email.

I can just see if this gets implemented, all the phishing mails will have a link to "battle.net" for verifying the email.
Nothing that can be done about stupid people getting scammed i guess, but at least the suggestion would help us more cautious users know for sure about each email.

I actually thought about putting something in there about not linking to the list of messages, since those will just be another phishing link. It would put a higher burden on the phisher though, since they would need to include more account specific stuff on the phishing page. Granted, I'm not sure how good the spoofs are in the first place, as I have never clicked on a link to go to the wow pages; I always type the url out just to be safe.

- Souca -

i right click and view source on all blizz emails. most are pphishing scams. the the inbox may say blizz or wowaccountadmin, these are easily spoofed. the source reveals all!.. you will not find any isp info in a legit one except the blizz name.. mostly routing info + hotmail or yahoo balh blah blah.. obviously fake

I made a reply as a bump, a great idea methinks!

I actually thought about putting something in there about not linking to the list of messages, since those will just be another phishing link. It would put a higher burden on the phisher though, since they would need to include more account specific stuff on the phishing page. Granted, I'm not sure how good the spoofs are in the first place, as I have never clicked on a link to go to the wow pages; I always type the url out just to be safe.

- Souca -
They wouldn't need to put anything on the phishing page, once you've clicked the link, the website could install a keylogger etc.

it's a good idea but unfortunately i can't see it helping.

- the people that WILL go check the battle.net mail page are the same that already check the validity of the urls

- the people that click on phishing lins without checking won't go check the battle.net account.

So all in all, it would only be a way to convince even more those that already know how to defend them selfves. Basically it would just be another proof that an email is a scam or not.

But when you check the links it's already very easy to find the phishing emails.


The thing i like the idea for, it that I wouldn't have to sort between the true and fake blizzard emails.. I would simply delete them all and go to the website to see what there is going.

Having cata ship with authenticators + this idea would be leet.


Just have the email from blizz say. Dear - Whoever there is a new message in your battle.net account (nolink nothing to emulate). Then the user has to go to battle.net themselves and check. Yes people will still phis and people will still far for it, but they are probably genetic throwbacks anyway and blizz can't protect everyone from themselves.

I have never had my credentials on anything compromised. I work in computer security so I am a bit more cautious I guess.

Whenever you get an email that includes a link where it asks you to log in stop and take a close look at the message. If you click on the link it will load up your browser and then you can see the domain. Copy the domain name and go to DNS411.com and do an swhois on it. It will show you who owns that domain.

It is mainly just slowing down and being cautious.

I do think that the OPs idea is a good one, however but it might never be implemented.

the solution is to stop being stupid

the solution is to stop being stupid

^^^