"I recently received a message claiming to be from Consumer Reports," a reader wrote. "It is a 100% perfect duplicate of a phish message to steal my credit card info. It has all the pitfalls that articles on identity theft warn us to look out for and avoid, including warnings in Consumer Reports itself. With the help of SpamCop, I reverse engineered the header and proved that yes, Consumer Reports DID send the message. They have done their bit to make account theft the fastest growing crime in the world."

The reader wrote to Consumer Reports to complain and got a response that essentially said the difference between their message and a spoof is that their suspicious-looking link really does send people to ConsumerReports.org when clicked upon. "Right. Maybe one or two percent of e-mail users would know how to look at the code behind the link to find whether this is a spoof. There are any numbers of tricks that could send users who think they're going to Consumer Reports off to phish mill in Albania. That's why there must be zero tolerance for e-mail clickable links - phishing schemes require them; real e-mail never does."

Another reader sounded off on how fast and loose many sites are about e-mailing passwords that users already know. "I continue to be frustrated and amazed at the number of websites who, when you register, send your password and sometimes your user name as well in a plain text email as 'confirmation' -- as in 'Thanks for registering, you password is xxxxx,'" the reader wrote. "I can't count the number of websites that have done this to me. I'm not talking about system-generated temporary passwords, but passwords that I created myself and have not requested be sent to me. Does no one understand how insecure e-mail is? It almost feels unfair to single out a specific site, but a couple that have done it to me recently include hanes2u.com and the PA State Employees Retirement System (which when creating the account warned me to keep the password safe!). Both agreed to change their procedure when I complained, which will help others in the future, but my passwords were already compromised, and there are still countless other sites doing the same thing. What makes web site designers think that sending out passwords unrequested is a good thing?"

And another reader hit very close to home. "My gripe concerns Computerworld, which I know is your sister publication," the reader wrote. "Or at least I think it's Computerworld, but it might be a Russian mobster for all I know. I received an e-mail saying I'd been 'randomly selected among Computerworld subscribers' to participate in a survey. I'm not nor have I ever been a Computerworld subscriber, but even if I was, the 'secure' link they want me to click on to take the survey didn't even have 'computerworld' in the URL. I'm supposed to click on that? Thanks, but no thanks."

Which good guys are you having trouble telling from the bad guys? Post your comments below or write me at Foster@gripe2ed.com.