Strange "new web browser" messages

From time to time I get confusing “You have logged in from new browser” messages from AA such as the example below. The answer is always ‘no I haven’t’ - these messages are always red herrings, and I can’t understand why I’m getting them. Their appearance seems to be completely random. The IPv6 address quoted below, redacted, was one of the randomised lower 64-bits type. I doubt that the message can be triggered by changes in the source IPv6 address, but I haven’t checked this. I don’t generally access AA’s clueless.aa.net.uk website from different machines, and I don’t switch between different LANs or switch from one interface to another such as going from wifi to 4G. I don’t know how often this type of address changes, in this case under Apple iPadOS, but I imagine that it changes fairly frequently, and I think that the AA messages do not arrive frequently enough to correlate with every such IP address change. I don’t believe that the pattern of arrival of these messages has anything at all to do with my source IPv6 behaviour. Perhaps it’s to do with the user agent string from the browser, but that would generate a rash of red herrings every time there’s a browser or possibly o/s release.

This would be a very useful feature if it worked properly, but it simply doesn’t, for reasons unknown. The danger with red herrings is that the user tends to ignore them all, even ignoring any warnings that might be meaningful. Either that or the user directs each one to their junk container or blocks them all.

Might it be possible to customise the way the system works, by setting something in the clueless.aa.uk control panel? Or simply allow the user to turn them off ? (Which is something I’d rather not do.)

Coming back to IPv6, AA knows what my AA-supplied IPv6 /48 prefix is, knows my IPv4 address range and all my other individual AA IPv4 addresses. So what about a simple “Warn if not from your AA-supplied addresses” option. This would be very valuable, reliable, and simple to implement.

Here’s my example, so that other readers will know what we’re talking about. First part of the email body follows:

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA512

You have logged in from new browser.

IP:      2001:8b0:1ce:xxxx:xxxx:xxxx:xxxx:xxxx
UserAgent: Mozilla/5.0 (Macintosh; Intel Mac OS X 10_15_7) AppleWebKit/605.1.15 (KHTML, like Gecko) Version/16.4 Safari/605.1.15

If this was not you, please contact us as your login details may have been compromised.
- --
Andrews & Arnold Ltd
- --
Andrews & Arnold Ltd

I think IPv6 address privacy (RFC4941) causes the address to rotate every few hours.

If you want to rule it out as a cause, on MacOS you can disable it with:

sysctl -w net.inet6.ip6.use_tempaddr=0

I get them once in a while from the same machine. I assume when you login, it sends a warning email, then it remembers you for a set period of time, where it won't send an email. Then I expect after a while it forgets you so if you then login after it has forgotten you it will send the email.

I'm only guessing that's how it works so don't quote me on that. I tend to use a fixed IPv6 IP so no issue of it changing every so often.