Hi, Today, I received an email from fas@xxxxxxxxxxxxxxxxx with the subject line "Fedora Account System: please verify your Bugzilla email address". This email has a unique link to accounts.fedoraproject.org. Based on the context, it seems legitimate. However, I noticed that clicking the link will take you to a sign-in page asking for credentials to your account. That seems strange to me, because it already has a unique link that's associated with the verification of a specific email in a specific FAS account, so asking for credentials should be completely unnecessary here. Asking for credentials makes this appear to be a phishing attempt, because that's how a phishing email would behave (appearance of legitimacy, requesting credentials when not needed). I think the FAS developers should remove the requirement to sign-in for these verification emails, to reduce the appearance/behavior of phishing. The email itself says these emails are "To improve security". If that is a goal, then Fedora systems should avoid training users to supply credentials when not needed. Thanks, Christopher _______________________________________________ devel mailing list -- devel@xxxxxxxxxxxxxxxxxxxxxxx To unsubscribe send an email to devel-leave@xxxxxxxxxxxxxxxxxxxxxxx Fedora Code of Conduct: https://docs.fedoraproject.org/en-US/project/code-of-conduct/ List Guidelines: https://fedoraproject.org/wiki/Mailing_list_guidelines List Archives: https://lists.fedoraproject.org/archives/list/devel@xxxxxxxxxxxxxxxxxxxxxxx Do not reply to spam on the list, report it: https://pagure.io/fedora-infrastructure
