OK, I appreciate that eBay has a dedicated email address for reporting phishing attempts. I appreciate that their abuse department is a lot busier than I am, and therefore has to rely heavily on form letters. And I appreciate that they’re making an effort to educate the public on how to spot phishing and avoid getting caught.

But when I forward them a message with the comment, “Here’s a sample of a blatant phish,” is it really necessary to reply with the full two-page notice explaining, “This is a spoof, we didn’t send it, here’s how to avoid it, blah blah blah” and the entire body of the original message, complete with the links to the phishing site?

I’d think in this case a simple, “Thanks for the report, we’ve notified the authorities” note would be sufficient, especially since the “how to spot a phish” stuff is already in the auto-response. All it takes is giving their abuse staff an extra choice for the form letter.

And under no circumstances should they be including the full, original text of the phish. At best, it’s asking for the response to get lost in a spam box or blocked outright. At worst, it’s a security risk waiting to happen (since this copy really did come from eBay). Somewhere in the middle is the risk of mucking up adaptive filters as they try to reconcile the original message, which was spam, with the new message, which isn’t.

Lost in the news about the IE7 Beta and Mozilla Corporation has been Opera’s decision to stop spoofing IE in its latest preview release.

So what is User-Agent spoofing? Well, let’s say someone decides that he’ll only allow blondes into an event. Depending on how its done, UA spoofing can be like wearing a blonde wig, or it can be like a brunette wearing a badge that says “Blonde.”

For several years, Opera has done the latter, basically wearing a badge that says “I’m Internet Explorer (wink, wink).” The sites with oversimplistic detection are fooled, but anyone paying attention can tell that it’s Opera.

The next question: Why is it even an issue? Well, web developers want to make sure that visitors will actually be able to see the site as intended, but it’s historically been easier to look for the browser’s name and version than figure out exactly what it can do. So developers often do the equivalent of asking someone whether they can speak French by asking them whether they live in France. You’ll get French speakers, but you’ll also block people from Quebec or Haiti, bilinguals, etc.

These days it’s recommended to check for capabilities, not to check the name of the browser and see if it’s on the approved list. It’s not always possible, since every browser has its own quirks, but it produces better results—and blocks fewer people who might otherwise be able to visit your website.