PayPal Asks E-mail Services to Block Messages

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""

Sure would be nice

[Kranfer]

It sure would be nice to see this go through. If I had a dollar for everytime I have gotten an email from some fake paypal scheme I would be rich. Hopefully ISP's and Email providers will go along with this, because quite frankly, I hate it.

Re:Sure would be nice

[Intron]

The whole reason there are fake Paypal schemes is people thinking "If I had a dollar from every fool using Paypal I would be rich".

Unfortunately, someone needs to trot out the anti-spam checklist now:

(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Ideas similar to this are easy to come up with, yet none have ever been shown practical

Re:Sure would be nice

Funny that they mention google. I buy/sell on ebay, have used gmail with pop/smtp for the last 2 years and have not yet gotten ONE paypal phish sent through to my email client. google's filters are that good that they've gotten everything. I think they missed one ebay phish (I also use gmail for all ebay email), but to top it off gmail's filters caught a valid ebay email that one of ebay's 'trust and safety' people told me was a phish and freaked all out on me saying I had to immediately change passwords, etc.

This isn't the right solution....

[LordPhantom]

What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

Re:This isn't the right solution....

[LordPhantom]

(and this message was brought to you by the Department of Redundancy Bureau). I hate it when I don't click preview.....

Re:This isn't the right solution....

[voice_of_all_reason]

Every email software/website?

That's like saying "stopping malware would be easy if only Bill and Linus forged and alliance and combined their powers"

Re:This isn't the right solution....

[jimicus]

the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

I think you possibly underestimate how big a problem that is.

In the days of snail mail, it was pretty uncommon for you to receive a letter purporting to be from someone it wasn't. Certainly not, say, a letter from your bank saying "We've accidentally gone and deleted all your verification information, please reply within 7 working days to the address above enclosing your full name, account number and signature" - partly because it would have been cost-prohibitive, partly because it would have been found out as soon as the first person contacted the real bank and then all they need to do to catch you is hang around outside the PO Box you've set up and wait for you to collect your mail.

Today, of course, that's very different. But the perception is much the same - relatively few people outside of the sort of techies you see on /. (and probably their immediate families) are aware that it's trivially easy to make an email look convincingly like it came from someone else.

I'm not too bothered about an email I send to a friend chatting about nothing in particular being intercepted. What I am bothered about is communication which I consider sensitive - mainly, it has direct impact on my finances or concerns something I don't want a particular person getting at (for instance, I might not want my partner to know I'm humping Ellie the Sheep - but in that case it's too much to ask Ellie to understand encryption - far easier to just setup a hotmail account for that).

This means digital signing and encryption is only really interesting where I need to communicate with someone and a disposable hotmail account is not appropriate - mostly, banks. But they've always accepted a certain degree of fraud, and are used to working with law enforcement. Unless and until they're financially liable for every penny of it, and the amount of fraud going on goes over what they consider "acceptable", they won't be demanding that their customers use signed email anytime soon. Most of them have found an alternative option anyway: send the actual content of messages through a web-based interface and all they email you is a note saying "log into your bank account, there's a message for you there".

Re:This isn't the right solution....

What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

What, you mean like S/MIME? A strong, standards-based encryption method which is well-known, well-documented, and cross-platform?

Outlook and Outlook Express (and most other email software) already support S/MIME, and they have for years. They even make it very easy to use.

SPF

[ikegami]

This is the problem Sender Policy Framework (SPF) tries to address.

Re:SPF

paypal.com has both spf1 and spf2.0 TXT records.

This, of course, is useless against emails from paypai.com (then again, so are the rest of the domainkeys, digital signatures or the like).

Public key cryptography needs to get to the point where it's so simple, it works automatically, using software licensed so that it's available everywhere, and protocols that work with everything. paypal, newegg, and everyone else would then post their public message signing keys on their websites, browsers would confirm that the key matches the domain of the website (preventing paypai.com from posting a "fake" paypal.com key) before downloading it and installing it to the keyring where any app could use it to confirm messages or anything else.

Even better

[Applekid]

How about Paypal just gives up sending email?

I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?

If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.

Re:Even better

[RedHat+Rocky]

My guess would be even though Paypal never sends email to their customers, they would still end up paying out fraud for folks falling for the phish.

This would be the motivation for Paypal to seek a real fix, the phishing is hitting their bottom line and there's nothing they can directly change; they have to take a global direction.

Re:Even better

[gad_zuki!]

Heaven forbid they just ask people to get off their butts and manually type in 'paypal.com' Granted, this exposes them to some typo domains, but it sure beats blindly clicking around and handing your authentication info to strangers. I always tell non-techies to always type in their banks name and dont bother trying to decipher whether an email is safe or not.

Re:Even better

[mrbcs]

I like the fact that Netscape can remember my logins and passwords if I so choose. I have also almost been fooled once by an ebay phishing scam. They were good. One of the / was replaced with a . Very hard to see right away.

When I clicked on the fake link, my username did NOT show up! That's when I looked more closly at the url.

Since that time, ebay changed the way that they do business and now they don't send emails anymore. Now you have to log in to ebay to see emails from them.

Re:Even better

[FooBarWidget]

"Emailed receipts?"

Yes. I want emailed receipts. I want to be able to search my payment history with GMail. And you forgot things like email address verification - Paypal needs to send emails for that.

Heck, even if they decide not to send emails anymore, then people will still fall for Paypal phishing emails.

Re:Even better

My bank sends a couple types of emails. One is a "A statement for your account ending in XXXX has been posted."

Another is "We have sent you a secure message. Log into your account to see it."

The emails are only text, and they never have a link to the bank's website. The two sentences I have quoted above are pretty much the entire contents of the emails.

The bank has trained me that if they have something to tell me, I should go to the site on my own and log into my account like I would for anything else. No HML mail, no links that could possibly be misleading, nothing.

Re:Even better

[chaos99]

How does that stop phishers from sending spoof paypal emails, and people believing them? Even if Paypal does their best to inform people of a change like this, you will always have that small percentage of people who see the spoofed email and believe it, which gives the phishers all the incentive they need to continue. (Especially considering that small percentage is probably the same set of people that buy into the phishing emails currently) Should this proposal succeed, even with just yahoo/google/hotmail, that should eliminate a majority of the recipients of these emails, which will definitely reduce the incentive for the phishers.

That reminds me..

[Rob+T+Firefly]

I'm sick of people entering my house through the open front door while I'm away, and stealing all my stuff. I want to make it illegal for people to just walk through open doors.

I know, you're thinking "why don't you just do something about your open front door?" But dammit, I've based my entire security model around having my front door open at all times, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather make it everyone else's problem instead.

Re:That reminds me..

[Aladrin]

Ah, the flawed analogy. Such a fine artform these days.

There is no law involved here. They are -asking- ISPs to do this and help both PayPal and the ISP's customers. There is no law. There is no old woman nagging 'Now don't you do that!'

A better analogy: I'm sick of airports letting people carry knives onto airplanes. I want them to scan and prevent people from carrying them onboard.

Re:That reminds me..

[geekoid]

What I am thinking is that there is a law. Just because someone's door is open doesn't mean you get to enter there home. The exception is places where it is reasonably expected for you to do so..i.e. business.

That, and the fact that your analogy in no way what so ever fits what they are talking about. It's not a poos analogy, it is a wrong analogy.

Re:That reminds me..

[geekoid]

That wasn't better at all!

Re:That reminds me..

[nine-times]

I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures? Wouldn't it be more like: if there were fake police officers going through people's houses and stealing things, and in response then the police department asked citizens not to let police officers into their houses unless those police carried some kind of official ID.

It doesn't sound unreasonable to me.

Re:That reminds me..

I know, you're thinking "why don't you suggest a feasible, concrete solution?" But dammit, I've based my entire post around snarky dismissal and vague analogy, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather bitch about it on slashdot instead.

Re:That reminds me..

[Fred_A]

Ah, the flawed analogy. Such a fine artform these days.

Yeah it didn't even have a car in it ! Pitiful I say !

Re:That reminds me..

[MrBugSentry]

Or the gas company telling doormen/security guards not to let in people claiming to be from the gas company unless they have official badges. Since the scammers are "collecting bills" in person, taking money from the building tenants and also goofing up the real bills. Or something like that.

Re:That reminds me..

I want to make it illegal for people to just walk through open doors.

Don't look now, but it already is. That's called trespassing.

Re:That reminds me..

[Rob+T+Firefly]

Ah, the flawed analogy. Such a fine artform these days.

But two bad analogies don't make a left turn.

Re:That reminds me..

[gstoddart]

I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures?

Well, the problem with this, is unless they can get every service provider to block such messages, it's a worthless system.

See, going to all of the ISPs and saying "help us come up with a secure solution that applies only to us" doesn't solve the general problem or phishing and the like. And, any system which is (mostly) a widespread fix for Paypal doesn't cover all of the other vendors which are gonna be saying "hey, block that for me too". It pushes the onus on the ISP to have the white-list for all of the possible services they could be delivering.

Then you have a bunch of ISPs blocking for some services but not for other. Then, I'm sure some idiot will say "hey, we don't need to screen this for free -- let's charge people so they can have their verified e-mails delivered" a la the (lack of) net neutrality thing people keep talking about.

Unless people can come up with a more generalized scheme, I just can't see PayPal getting enough ISPs to do this; nor can I see it being worthwhile for each ISP to have to do special processing to deliver e-mail from one or more companies which are exceptions.

Wouldn't it be more like: if there were fake police officers going through people's houses and stealing things, and in response then the police department asked citizens not to let police officers into their houses unless those police carried some kind of official ID.

No, it's more like expecting people to call up the police department to confirm that the IDs of the people claiming to be police agents are valid. In this case, if the mail gets through, the average home user (and likely many of the rest of us) might not be able to verify digital signatures in the e-mail anyway. At which point, it becomes about as meaningful as putting "I promise this message isn't a phishing scam" at the bottom of the e-mail (like the useless opt-out links in e-mails which had been required by some idiotic law which would never work either).

If it's not 100% blanketed, it's just a false sense of security. Unless you make *all* e-mail delivered need to be authenticated, this won't do anything to really decrease spam/phishing. It gives the illusion of preventing phishing for one given site. Then, if ISPs don't sign on, PayPal gets to say "well, we tried to get them to protect you, but they said no, the greedy bastards". It can't possibly have enough coverage to help.

It's not really meaningful to PayPal to offload this to the ISPs -- it simply won't work. It can't, in large part because it places all of the expense and processing on the ISP side.

Cheers

Re:That reminds me..

[nine-times]

No, it's more like expecting people to call up the police department to confirm that the IDs of the people claiming to be police agents are valid

I'll tell you what: if there were a band of impostor police running around town robbing people, and the police department requested that you call them for verification before allowing police officers into your home, I would be willing to do that. When you consider the alternative making the phone call isn't so bad. Are you telling me that when the police came to your door, you'd just let them in because you're too lazy to make the phone call?!

Re:That reminds me..

[CheckeredFlag]

Well said! Our current email security model (or lack of it) is horrid, but back in the day, nobody ever abused it so it was a non-issue.

While it may seem like an arrogant and heavy-handed request on Paypal's part, I applaud their effort. Look at it this way: They're saying, "We promise never to send legitimate mail to our customers without proving our identity via a digital signature." Rather than trying to have ISPs have convoluted rules to detect all the Paypal phishes, it becomes much easier to simply block all but properly signed Paypal emails. Period.

If more companies would follow this trend, it would not only ease the work for the authors of spam filters, but it would finally begin the long overdue migration to a closed door model in which every email is signed instead of being stuck with the pathetic and antiquated open door model we currently have.

Re:That reminds me..

[gstoddart]

I'll tell you what: if there were a band of impostor police running around town robbing people, and the police department requested that you call them for verification before allowing police officers into your home

What about the one arresting you for speeding? How about resisting arrest?

My point was, and still is, doing verification on an ISP-level on a one-service-at-a-time basis is a completely worthless system. Either you're going to cover only about 50% or less of available ISPs and go around with a false sense of security believing you're safe (or, at least, tell your customers they're safe). Or you're going to have a whole bunch of individual services all trying to get all of the ISPs to provide authentication for their crap, and then you'll end up with an unmanageable mechanism of dozens of services you need to verify individually. This won't work.

You need a system which can be implemented to address the generalized solution of authenticated, confirmed mail delivery. You know, something defined at the core level of e-mail implementations that everyone does uniformly -- not a special case grafted on to try to protect PayPal's customers while ignoring the bigger picture. NO solution which attempts to provide authentication only for PayPal is worth a damn. As a non-PayPal customer, I sure as hell don't want my ISP charging me more fscking money to do extra processing for PayPal to prevent them from phishing.

A one off solution for PayPal has no chance of actually working. I'm sure someone in their oganization knows this. They're just hoping that floating a technically infeasible solution makes them sound pro-active. In reality, the proposed system can't work.

I'm sure someone has already posted the standard "your spam solution won't work" worksheet and checked the appropriate boxes. This is just another example of such a system.

Cheers

Re:That reminds me..

[nine-times]

My point was, and still is, doing verification on an ISP-level on a one-service-at-a-time basis is a completely worthless system

It's not completely worthless if it stops PayPal phishing. A large percentage of phishing that goes on is pretending to be PayPal or Ebay.

Or you're going to have a whole bunch of individual services all trying to get all of the ISPs to provide authentication for their crap

Not "provide authentication". They're not asking ISPs to devise an authentication service. The service exists. The key thing is that they're asking everyone to refuse messages that aren't authenticated.

The key thing here is that it sounds like PayPal is, in fact, pledging to ISPs that they will be signing all of their valid e-mail. Most ISPs and businesses would *LOVE* to be able to reject all unsigned e-mail in order to cut out spam and phishing. The problem with refusing unsigned e-mail is that most individuals and businesses don't sign their e-mail. If PayPal only signed a portion of their official e-mail and an ISP started rejecting all unsigned e-mail, that ISP would start receiving complaints both from it's customers and from PayPal. However, if PayPal pledges to sign all valid e-mail and asks ISPs to block all unsigned e-mails, it will allow ISPs and businesses to easily filter the phishing attempts without any fear of losing valid e-mail.

Re:That reminds me..

[gemada]

who modded the parent up? it makes no sense whatsoever.

Re:That reminds me..

[initialE]

Replace the word "house" with "department store" and you'll have a better analogy. Of course the front door is open, how else are you going to get customers in?

Re:That reminds me..

But two bad analogies don't make a left turn.

Of course they do. Look, the analogies are bad, therefore they are wrong.

Two wrongs don't make a right, therefore they must make a left.

Therefore two bad analogies make a left.

Q.E.D.

Time to move past SMTP?

[mdboyd]

The issue here seems to be spam/phishing. I wonder if it's time to develop something like SMTP 2.0... an equivalent to a "new" e-mail system completely separate from the current one. Maybe it should have centrally managed servers for stricter authentication? Is the current system defective by design or just in need of some updated techniques?

Re:Time to move past SMTP?

[Trillan]

SMTP is not only defective by design, but defective by requirement.

Re:Time to move past SMTP?

[ISurfTooMuch]

It's been time to rework SMTP for a decade now. First, it was open mail servers. Next, it was the lack of any verification that a mail server was in the domain it claimed to be in in its HELO line. Next, it's the lack of a way for the SMTP server to authenticate a connecting user.

For every one of these problems, a solution has had to be cobbled together, usually using a large amount of gum, duct tape, and string.

And how long have people been discussing a replacement to SMTP? I remember posts on this subject on NANAE over 10 years ago. Ten YEARS, yet nothing has been done, and now e-mail is slowly sinking under the weight of billions of pieces of spam and phishing scams.

Someone had better come up with a solution before some company develops a proprietary mail system that only its software can be used to access. And, yes, this will happen, sooner or later. So, we can have a better mousetrap based on open standards or one based on proprietary, closed standards.

Re:Time to move past SMTP?

[bvimo]

SMTP is not only defective by design, but defective by requirement.

Does that mean SMTP was designed by Microsoft?

Re:Time to move past SMTP?

[flonker]

I've heard this said many times, yet I have never heard anyone back this claim up. What are the defects in SMTP? Specifically, what are the defects that can't be fixed except by implementing and using a new protocol?

Re:Time to move past SMTP?

[Trillan]

From the RFC #2821 (which defiens modern SMTP):

SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. Constructing such a message so that the "spoofed" behavior cannot be detected by an expert is somewhat more difficult, but not sufficiently so as to be a deterrent to someone who is determined and knowledgeable. Consequently, as knowledge of Internet mail increases, so does the knowledge that SMTP mail inherently cannot be authenticated, or integrity checks provided, at the transport level. Real mail security lies only in end-to-end methods involving the message bodies, such as those which use digital signatures (see [14] and, e.g., PGP [4] or S/MIME [31]).

Re:Time to move past SMTP?

[perlchild]

The "main" problem, as I see it, is twofold.
1)smtp doesn't have good attribution
2)some derivative apps depend on "loose" attribution to work

a new protocol would be ideal, but while there's been proposal after proposal, none have gotten any traction, because of lack of backwards compatibility to the "brokenness" we have now.

Re:Time to move past SMTP?

[Trillan]

Indeed. The primary requirement of SMTP is that it remain compatibile with SMTP, whereas one of the things current applications depend on is this inability to authenticate.

I don't get it.

[jpellino]

Because hovering over the link in the mail is hard?

Re:I don't get it.

[sqlrob]

Right, something like http://update-paypal-security.info/ is obviously a phish to the average user.

Re:I don't get it.

[Billosaur]

It's not hard, but the fact is, the average user doesn't understand that the path in a link may not go to the place they think it will. The truly web-savvy are knowledgeable but in the minority. What is needed is for email clients to have an option similar to what you see here on Slashdot, where the domain of the link is displayed, although it would need to be expanded to accommodate the intricate URLs spoofer sometimes use. If the average user could see a visual representation of the link, they might be more wary. But then URLs get more complicated all the time, and with the number of TLDs, it might be hard to ever bring the average user's web sense up to the necessary level.

Re:I don't get it.

[Billosaur]

Perhaps, but your average spoofer isn't going to show that URL in the link; it would probably look more like http://security.paypal.com/ and the average user isn't going to be aware that the source URL for that link is not the same as what's being displayed.

Re:I don't get it.

[LordSnooty]

That's why OP recommended hovering over the link. But people like my Dad wouldn't know the difference between paypal.com & paypal-user.info. And I'm sure he's the type who gets hit by phishing. As others have suggested, maybe it's time for these companies to revert to more traditional, tried & trusted means of communication. It's not like they aren't making stacks of cash every day.

Re:I don't get it.

[The+Cisco+Kid]

I suspect the PP's sarcasm was a bit too subtle for you - the point is, that to the average user, "update-paypal-security.info" *DOES* look legitimate.

This is a hard problem, and requires people to acquire skills that they should already have to begin with. I blame Microsoft for making it 'too easy' for people, and people for letting MS lead them by the hand.

Re:I don't get it.

[navyjeff]

Right, something like http://update-paypal-security.info/ is obviously a phish to the average user.

I think that link is slashdotted. I tried to update my paypal security info, but the site seems to be down. Anyone got a cached link???

(My karma's gonna burn for this...)

Re:I don't get it.

[eli+pabst]

I've seen phishing scam emails using obfuscated javascript for links to the actual phishing sites recently, so that isn't always a tipoff. Your grandma and grandpa aren't going to be able to download the page source and walk through the javascript to see what it's doing.

Re:I don't get it.

[pembo13]

If your email client is running javascript, that is your problem

Re:I don't get it.

But JavaScript can make the link appear as something other than what it really links to.

Re:I don't get it.

[eli+pabst]

On a webmail-based account like hotmail or yahoo, the full html page is often rendered, including javascript. You can disable html, but again that's a measure that grandma and grandpa aren't likely to know to do.

Re:I don't get it.

[mgblst]

You are kidding right? By average user, you are talking about IT professional. And I know plenty of so-called IT professionals who would fall for this as well. How do you know that paypal hasn't created another site to handle security updates? Do you just plain know this stuff or not? Do you think we all have the inner working of Paypal worked out.

The fact is, the only reason you or I would not click on the link is because we are cautious, and we know what to be cautious about. The average user can't be that cautious, or they wouldn't do anything. In this world were it is unsafe to click on an email attachment from a friend, or even read a webpage, how can the average person know what is safe or not?

You clearly have no experience with real users.

Re:I don't get it.

[sqlrob]

Even more skills than you think, if you want to be correct.

I received a mail from my "bank". It screamed phish - links were to strange places, images weren't, strange mail server.

Two hours of research later, it wasn't a phish. They were using a third party provider.

Re:I don't get it.

[The+Cisco+Kid]

Indeed. Not only does Joe Sixpack needs some education, so do the financial institutions.

1. People need to know that they should not trust links in email.
2. Banks/etc need to never expect their customers to trust links in even authentic messages.
3. Customers should make an effort to find out, and Banks/etc should make an effort to inform (NOT through email) them, of the correct and legitimate address they should hand-enter into their browser to access the banks real site.
4. The guts of communications, anything sensitive, should be done *within* the site itself, an email should only serve to notify that 'you have a message - log into the site to read it' (and fight the urge to include a link - it specifically needs to be a little less friendly to force the customer to be aware of where they are going)
5. None of this is effective against the crapware, spyware, trojans, etc that Windows and MSIE are, and will always be, vulnerable to. Banks/etc should encourage customers to use alternatives to MSIE, at the very least by ensuring theirs sites are 100% standards compliant and work with those alternatives (eg FireFox) (Paypal violates this one in that it *requires* Windows/MSIE for its 'virtual debit card' function, and I'm sure many banks optimize their sites for MSIE)

I like this idea

[jhfry]

Why don't major financial insititutions all create a coalition that does exactly this. This coalition would issue signing certificates for the various members, who will then sign all of their email.

All that mail hosts would need to do is verify that the mail was signed by a valid certificate that was issued by the coalition. One certificate to verify against. The coalition can then issue revocation lists as necessary if a member's certificate is ever comprimised.

Seems like an ideal solution to reduce phishing. It could also be used by other organizations who could have their email signed in a similar way, which might allow these messages to bypass spam filters which would benefit the mail hosts.

I think of it as a way to implement a pseudo whitelist, which is by far the best way to ensure that you don't get spam.

Re:I like this idea

But what about when a hacker breaks the coalition's code and spoofs as a legit business? Because they look legit they'd fool a lot more people.

Re:How about just block emails from paypal?

[DrLov3]

How dare they do this, imspeech the people sending emails to me(scammer or not), I need those emails, thier futile attemps to get my money is detectable at the naked eye, I need those for my weekly laughter at thier incompetence, keeps me cheered up, otherwise I might go on a killing spree or something, and paypal will be held accountable for the death and violence.

I mean why on earth would a third party have the right to request that I stop recieving my emails.

KIE2ES: Keep it End-to-End Stupid

[John.P.Jones]

It should be sufficient to let the client handle this, domain's wishing that all mail from their domain should be signed can ADVERTIZE this fact and clients wishing to RESPECT that advertizement can verify signatures and filter incoming mail accordingly.

I guess I am just old-fashioned eh?

Hard to keep up

[superbus1929]

This is a great idea, but hard to enforce. Most people let anything and everything get to their systems because they don't want to miss that ONE KEY EMAIL~ and really, you're entrusting end-users with PGP. That's what it sounds like to me, and if that's the case, this has little chance of working in practise.

Re:Hard to keep up

[Aladrin]

Enforce? Who said anything about enforcing? If they can simply get the major ISPs (AOL, Earthlink, MSN, etc) to agree to do this server-side, that'll leave only businesses and people smart enough to have their own domain that don't have this protection. It will remove the majority of the phishing.

This is not a customer-side solution, so they aren't trusting users with anything.

Do I think it's a good idea or even that it'll happen? Not really. But it's a nice gesture from a company who is usually just crap.

Re:Hard to keep up

[superbus1929]

So what are you proposing? A phishing scan of every email? Public encryption keys attached to every ebay.com email?

Good luck. How long do you think it will take to find a way around that?

Re:Hard to keep up

[stephanruby]

Do I think it's a good idea or even that it'll happen? Not really. But it's a nice gesture from a company who is usually just crap.

A nice gesture? It's a neutral gesture at best -- done to try to protect their reputation. Many of my customers just refuse to use Pay Pal these days, just because of all the spoofed Pay Pal crap they've been receiving in their inbox. Trying to solve this issue, or even just trying to mitigate its effect, may certainly affect the company's own bottom line.

Nope. SMTP works fine.

[khasim]

It's just that email is NOT a good method to distribute ALL information.

Rather than re-working an existing system so it is more "effective" in handling a specific case, why not look at how best to handle that specific case?

We've been over this before with regular banks. You need two different channels to confirm a transaction to make it "safe" enough for the average person. Web and phone is good combination.

Re:Nope. SMTP works fine.

[brunascle]

but this is more than just one specific case. even if paypal insituted a never-use-email policy, it wouldnt stop the phishing. even if every financial institution used this policy, it would take a while before the public really understood that they should never trust an email from a financial institution. in the time it would take, we could probably develop a new SMTP that would stop the phishing and the spamming.

yes, it's going to be very hard to completely replace SMTP, but the longer we wait the harder it's going to be, and the problem is not going away.

We need "Email 2.0"

[erroneus]

The whole idea of creating a newer, more secure and spam-resistant emailing standard has been out there for a long time. There are limitless "great ideas" on how it can be done but the problem is implementation and integration. We're already stuck in this way of doing things.

But somehow we need to answer the need and perhaps under the premise of protecting financials, there might be some potential for movement. I'm thinking that if a consortium of financial groups got together and decided that from here on out they will implement XYZ for all financial related electronic communication or whatever, that people would just download the client they needed and be done with it. I believe that people would be more willing to protect their financials by running a new client or application and I believe that eventually financial institutions would be willing to back the intiative if it meant they'd suffer less fraud.

I just hope that whatever gets pushed out is OSS based or at the very least available to OSS implementation.

Re:We need "Email 2.0"

[LordEd]

Your post advocates a

( ) technical ( ) legislative (x) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( ) It will stop spam for two weeks and then we'll be stuck with it
( ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( ) Asshats
( ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
(x) Huge existing software investment in SMTP
(x) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( ) Armies of worm riddled broadband-connected Windows boxes
( ) Eternal arms race involved in all filtering approaches
( ) Extreme profitability of spam
( ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( ) Extreme stupidity on the part of people who do business with spammers
( ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
(x) Why should we have to trust you and your servers?
( ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

(x) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:We need "Email 2.0"

[erroneus]

Where's the check box for "I'm an asshole."?

The huge investment in SMTP is irrelevant compared to the huge loss due to fraud. I believe a group of those most concerned should come together to create a solution.

The whole "multiple response" thing intended to illustrate how redundant people's ideas are is really unwelcome and truly reflects on your arrogant personality. Oddly enough, the snottiest of people are generally pretty unhappy with themselves... hope that works out for you eventually.

Re:We need "Email 2.0"

[LordEd]

So how about the 'why should we trust the xyz financial consortium' checkbox? Who is allowed into this consortium? How about somebody who sells viagra online, do they get into it? Will you be happy if Microsoft is part of the group who decides who is allowed to send financial-based communications?

How about the client? Are we going to do some base authentication? Who will hold those servers, and why are they trustworthy? How much will it cost to maintain or buy a license (ie, SSL certificates cost money)?

Who will write this client and why should we trust that person/group with sensitive information? If its not email based, will the addresses still be user@domain formatted? If a person holds a normal email address, do they have the right to the financial equivalent address?

Its nice to say 'lets go write a new secure client', but if you can't even pass a simple checklist, it isn't going to go very far.

Re:We need "Email 2.0"

[erroneus]

Just goes to show that you didn't read my initial 'prayer' before you started forming an opinion and judgement. It included, specifically, leanings to OSS drivings or at the very least capability.

Ultimately, a secure email system that is resistant to spam would have the security built into the open structure, not through obscurity or propriety. There would be means by which sender and servers could be authenticated. Under such a scheme, the receiving server would be able to query the sending authority of record that the email does indeed come from an authorized sender and that the server is indeed authorized to send for that domain.

You're a very negative-thinking person. You should really look into reversing that.

Re:We need "Email 2.0"

[LordEd]

Open source or not is irrelevant to the problem. We're talking about authentication, not code philosophy. If it makes you feel better, then I will agree that it should be open source.

Now that anybody can use it, I want to know who decides what is valid mail on your new system. If nobody decides, then what prevents a spammer from declaring themselves trustworthy and continuing to spam as normal? Security can be in an open structure. I'm asking what is your idea for that structure?

Your reply uses 'authority of record' and 'authorized sender'. I'm asking who is doing this authentication. If you're saying that the domain declares itself trustworthy, then you're talking about SPF, which is already supported by many anti-spam applications.

You need to think more negatively and attack your own solution in order to improve it.

Re:We need "Email 2.0"

[erroneus]

I'd offer the same way we currently do DNS... seems to work pretty well.

Re:We need "Email 2.0"

[LordEd]

DNS currently points to the valid servers. SPF permits a site to declare their valid outbound email servers by adding a entry on their name server. How would your protocol be any different?

SPF is a good way to assist anti-spam programs. If configured at its strongest level (outbound mail for given domain MUST come from specified IP addresses), and if the receiving server has appropriate filtering software, the fake emails are immediately tossed. The problem is that many sites and systems do not implement it.

If we made a new protocol, why would it be implemented over other available solutions?

Re:How about just block emails from paypal?

[networkBoy]

Fair enough.
I run a script that loads their page mercilessly and attempts to log in through their proxy/spoof with random credentials.
It's a practice that's gotten me DOS'd more than once.

But your average joe sixpack is susceptible to these scams, and as such I like what ebay corp. is attempting to do.
-nB

DomainKey and SPF

Every smtp servers out there should implement DomainKey and SPF!

Yes, they try to do the same thing. However not everyone uses SPF (or DomainKey). Therefore the burden relies on the mail administrator. he should implement as many 'solutions' as possible to be compatible (ie: not flagged as spam).

Digital signature is the correct approach

[starfishsystems]

If emails were digitally signed, the identity of the sender would either verify or would fail to verify. This sounds like the correct approach. In competing approaches, the message is tagged in some way, the problem being that such messages can still be forged.

The barrier to acceptance of any signature approach (and there are several) is getting everybody on board, or at least a large enough segment of the user population to make a compelling case for others to follow. Paypal might be that segment, because it (a) originates large volumes of email, and (b) has built the infrastructure to digitally sign them.

If Paypal can persuade the larger mail transfer agents to reject unsigned messages purporting to be from Paypal users, the case is made. That takes some administrative effort by the MTA but not a lot. Adding few more large players like Paypal requires only incremental effort on the part of the MTAs. Eventually, we get to a point where at some MTAs this filtering is no longer managed as a special case but becomes a general requirement.

Re:Digital signature is the correct approach

[jfengel]

It's not quite as easy as it sounds. It hinges on the notion of "purporting to be from Paypal users". It's easy to eliminate cases where the return address is paypal.com but the signature fails. It's harder when the return address is paypa1.com (look closely), and eventually it just devolves to the spam recognition problem, which is known to be hard.

And once you've defined that, the digital signature becomes nearly moot. If it's in the "looks like Paypal" category but links to something other than paypal.com, you know it's a fraud. GMail already seems to be 100% effective at sorting those out; I haven't seen a phishing attack along those lines in forever (despite getting hundreds of spams per day to certain addresses.)

Here's some cynicism: this is a way of letting PayPal carry paid advertising. Right now they know that they can't link to anybody but PayPal or the email gets chucked. If they convince mail providers to say, "We're 100% convinced this is authentic PayPal" they can start carrying any content they like, including (essentially) spam. Oh, sure, they'd call it "marketing partners" or something even more dubious, but spam it would be.

Re:Digital signature is the correct approach

[starfishsystems]

Right. I think you're saying that Paypal signatures can only help with verifying Paypal domains, not domains that might to a casual observer look like Paypal domains. I agree with the implied conclusion that signed email don't eliminate this particular type of phishing scam.

Signed email does, however, eliminate the presently very common and significant type of scam that depends on forging emails from legitimate domains.

Signed email also provides an effective basis for spam control, so I have to disagree with you on the point that spam recognition is hard. It's only hard because, at present, it depends entirely on content analysis. If we could make it depend on originating address, because the message signature lets us verify this address, then we could filter without regard to content.

The critical difference is that filtering can now be done reliably. You either filter messages that match a certain address pattern or you don't. So the filtering problem becomes "just" a question of granularity. In other words, if my filter is set up to accept everything from the Paypal domain, and not every Paypal user is well behaved, then I'll see some amount of spam coming through perhaps. But I can then choose to reliably filter out individual addresses which I find bothersome, or I can train a Bayesian filter to do it for me.

On a larger scale, suppose you're right and Paypal tries to leverage the strength of its digital signatures to deliver spam content, to the point that a significant amount of Paypal message traffic becomes spam. What do you think will happen then? MTAs will start to filter the entire domain. And because of the signatures on such traffic , they will be able to do so reliably.

Re:How about just block emails from paypal?

[Spazmania]

Easier said than done. How do their systems know that an email purports to be from paypal? The fact that it says "paypal"? This post would be blocked. That there is a link to paypal? The link isn't to paypal; its to the phishing site. If there was a way to "know" that an email purported to be from paypal, most of these services would already block it due to Paypal's SPF records.

Re:Paypal, eh?

[Coraon]

heh, should paypal be even more concerned with doing what they say they do and just let stupid users be dupped? I mean if I fall for a scam in the non internet world I'm left holding the bag, If I buy something from the back of a truck from a guy claiming to be a "sony delievery guy" who missed his delievery and needs to get rid of these before he gets back to the shop and they dont work, then its my own damn fault. Paypal is pissing in Darwins pool, I say they should just leave it alone.

A large part of the solution already exists

[Whiteout]

Why doesn't Paypal sign its e-mails in the conventional sense (http://en.wikipedia.org/wiki/X509)? Every major mail client would flag it with a nice wax seal or similar and a reasonably knowledgeable user would have confidence in his PayPal messages. A little education from PayPal's site about looking for a good signature would go a long way to helping everyone else.

At the moment, since mail clients don't know anything about DomainKeys, we have NO WAY of knowing if mail really is from PayPal.

And perhaps a mail client consortium could manage lists of domains requiring valid signatures: mail from paypal.com and not signed goes straight to the junk folder; it's not completely different from the management of certificate authorities. Alternatively, at least for Thunderbird, a simple extension could do that job.

And of course this isn't a problem domain specific to PayPal, so their individual lobbying seems to be a drop in the ocean at best.

Andy

Re:A large part of the solution already exists

[nuzak]

> At the moment, since mail clients don't know anything about DomainKeys, we have NO WAY of knowing if mail really is from PayPal.

Domainkeys don't need support in the MUA -- the MTA can discard messages failing a domainkey check before it even gets to the user.

If Paypal is officially saying "drop all mail from an address @paypal.com that doesn't have a domainkey", I'll be happy to oblige. I'll bet you a stack of gold bars (smuggled out of Nigeria of course) that they have third-party marketers that don't use them. No skin off my back as a user, but as an admin I'd find myself as usual being the one paying for their incompetence.

Re:A large part of the solution already exists

[Whiteout]

DomainKeys have nothing to do with MUA, but at the moment they are the only way I (the mail recipient) can authenticate a PayPal e-mail. Since DomainKeys are not part of SMTP and since - other than a verbal/written PayPal request - there is no requirement for SMTP servers to discard unsigned e-mails, I can't trust that a 'PayPal' e-mail that reaches me must be authentic. You are happy to oblige PayPal's request, and that's good for everyone, but not everyone is going to follow your example.

Re:A large part of the solution already exists

All but a few Email headers can be forged/faked by Phishers, the contents, signature in the body of the message can also be fake as can be the senders name and email address

I have examined many emails , and I must say that I can tell if an email is fake ONLY if have a few or more legitimate examples from the sender, but after that, I can Id almost all of them as legit or fake as long as the sender didn't change location or computer type etc
  The problem is that the average consumer doesn't know how to interpret email headers, and we need a good way to do this automatically by program

Re:A large part of the solution already exists

[nuzak]

> Since DomainKeys are not part of SMTP and since - other than a verbal/written PayPal request - there is no requirement for SMTP servers to discard unsigned e-mails,

You seem to be under the impression that MTA == SMTP server. Their job is to transfer messages: policy regarding transfer (including whether it's transferred at all) is part of the package, and RFC2822 headers have been the province of the MTA from day 1 (Received headers for instance). Some MTAs even speak other protocols.

I do this stuff for a living, and obviously I'm not going to drop all mail that doesn't have domainkeys (it's got what, a 0.000001% adoption rate?). But if Paypal claims that all their legitimate outbound mail has domainkeys, then it's a really cheap heuristic for me to drop anything from them that lacks one. You don't need to write an RFC for every local policy.

Re:A large part of the solution already exists

[metamatic]

Domainkeys don't need support in the MUA -- the MTA can discard messages failing a domainkey check before it even gets to the user.

The MTA can also drop messages failing an S/MIME signature check. As an added benefit, S/MIME is already supported in every major MUA anyway. So why do we need yet another "standard"?

a simpler solution

It's ironic that most of the PayPal/BankOfAmerica/eBay phishing spam I've seen simply links directly to images from the legitimate site, and that McCain's MySpace page was "pranked" with a simple .htaccess rule... same solution applies here, but PayPal et al won't apply it because they don't take any outside suggestions due to "intellectual property issues" (and yes, I've suggested it).

Getting what they deserve? Yeah, probably.

PayPal? What about the parent company, eBay?

[idiosynchronic]

My problem isn't PayPal - it's the frickin' parent company of eBay.

The spam and phishing from PayPal is insignificant compared to the crap I get through eBay should I try to auction or sell off an old computer system. (Next to charity donation, it's the best recycling system I have available) The last 3 auctions I did - it took me 6 weeks to get rid of a Tablet PC because the first auction was terminated by a Nigerian trying to defraud me, the 2nd derailed because of the first's premature termination, and the third because of buyer's reluctance to look at something that had been up for auction twice before. The laptop that followed was sniped by another Nigerian fraudster.

During the whole process, I probably received on the order of 12 'messages' about my auctions by spammers. 12 spams is pretty low, except that I have to delete them out of my email, delete them from the item's message queue, and then last delete them from the eBay "My Messages" inbox as well. If I have to delete spam from 3 different locations, and there's no simple way of informing eBay that a message is spam, they're obviously complicit, incompetent or they honestly don't give a damn.

Didn't you get my offer?

[Leuf]

I sent you an email offering you just this very thing the other day. My uncle, the prince of Nigeria, has been mortified by all the spam and phishing scams occuring all over the world. He set aside $100,000,000 dollars into a fund for those most affected. He asked me to track them down for him. Given the sensitive nature of this program we are delivering the funds strictly in cash. All we need for you is to send your car keys and the location where it is parked to this PO Box, and in a few days you will find a large suitcase in the truck.

Re:Didn't you get my offer?

[Gareth+Williams]

How will I open the trunk without my keys, you insensitive clod ?

The funny part

[Lumpy]

Most paypal and ebay scam emails DON'T look legitimate. Most are so poorly formed they stand out as fake. From address is wrong, subject is formatted very differently etc... Anyone that uses Paypal regularly can easily see how bad of a job the scammers do in the fake emails.

Problem is, they are taking advantage of the fact that people like me make up 10% of the total population, the rest fall for it because they don't take the time to be careful.

Re:The funny part

I have received many PayPal emails that are almost word for word identical to actual PayPal emails. To the casual user, they may as well be one and the same.

Most financial emails are ridiculously fake, but the PayPal ones I get are frighteningly believable.

Still, who clicks on them?

Re:SPF /DKIM

[sjwest]

We have spf for all our domains. DKIM is a pain if you have more than one domian, the dns bit is easy, the signing more iffy - result i gave up on dkim implementation.

yes we could could easily check for dkim signatures, but i have spf. already - i saw little point to dkim. Main problem here is that mail clients don't do much with this extra header line that the mta/dkim signer puts in.

The point to this is while its probably hard to fake, dkim does not offer much to the mail client. With more than one domain then dkim becomes a bitch to configure.

I found dkim to be a waste of time, spf however is not.

The day ebay tells me what i need to run a mail server (heard of rfc's ebay) is the day i tell ebay/paypall to go get lost.

Re:How about just block emails from paypal?

[Jimmy+King]

The same way the SPF records catch them, most of them I get claiming to be from paypal have a paypal.com e-mail address as the from address.

Good news!

[bziman]

I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.

Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.

I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.

The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.

Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.

-brian

Actually it isn't

SPF works with SMTP envelope addresses and prevents bounceback spam and SMTP forgery. Most phishing emails rely on MUAs displaying a sender address present in the email itself. This is what Microsoft's ridiculous (as in: technically unsound) SenderID proposed to solve. Because email data can be arbitrary, signing the message body (including the headers) is the only way to prevent message forgery. I've not looked at DKIM in a while so I'm not sure if it's become a viable solution yet?

Re:How about just block emails from paypal?

[Spazmania]

Then they don't need domain keys, do they? They could just drop messages with paypal.com in the from address that fail SPF.

Except if you check closely, the messages probably didn't use paypal.com in the envelope sender; they probably only used it in the From header. This means that if the service blocked those messages then anybody agregating multiple email addresses in to one mailbox would see their messages fail at the forwarder.

Weird PayPal probing

OK, this is off-topic but it does involve PayPal and email. When someone is sending spam to PayPal with my (forged) address, I get weird probing of my email server from PayPal even though the mail isn't coming from my server. I don't know what they are trying to determine, but you'd think PayPal would figure out that most spam is forged. Has anyone else noticed this?

Re:How about just block emails from paypal?

[Goaway]

Just what is "imspeech" supposed to mean? I honestly can't figure it out.

Mail readers need to improve

[postbigbang]

Ok, class, here's the header, now tell me what's wrong with it:

Date: March 28, 2007 9:36:46 AM EDT
From: admin@paypal.com
Subject: Your PayPal account access is limited.
To:
Reply-To: paypal@paypal.com
Return-Path:
Received: from 10.0.0.2 (ont-static-216.70.173.8.mpowercom.net [216.70.173.8] (may be forged)) by localhost.localdomain (8.12.11.20060308/8.12.11) with SMTP id l2SDfRsJ001136 for ; Wed, 28 Mar 2007 08:41:29 -0500
Received: from by ; Wed, 28 Mar 2007 17:30:46 +0400
Message-Id: >
X-Mailer: Internet Mail Service (5.5.2650.21)
Mime-Version: 1.0
Content-Type: multipart/alternative; boundary="--542976798523875"
X-Priority: 1
X-Msmail-Priority: High
Status:

You guessed it! NOW WHY CAN'T EMAIL READERS have a parser in them that goes-- hey, user, wake up, this is a weird message and you should be advised that things don't match up like they should (in this case, replyto, sender, and source/origin).

Egads.

Re:Mail readers need to improve

OK smart guy. Here is the source code for Thunderbird, please feel free to modify it to implement your suggestion. Best of luck figuring out if things "match up like they should".

Re:Mail readers need to improve

First, not everyone uses POS (piece of shit) online web-mail systems or the EWPOS (even worse piece of shit) SMTP servers of their ISP. How about for example, that millions of people (like myself) send e-mails using a Comcast.net IP, but send them through different mail servers? How about the fact that I send mail from one account, on one domain, that I *want* replies to go to the official support addy on a different domain? How about someone like me that handles support for a dozen different domains that get forwarded to my catchall address, and I need to reply with a dozen different reply addys, on different domains??

Re:Mail readers need to improve

[Fujisawa+Sensei]

Here you go:

From: admin@paypal.com

Everything from paypal.com and all other financial institutions goes in the trash.

Running your own server

[ickleberry]

Every day it gets harder to run your own mail/web server. soon you will need an operating license to have one, and soon after that there will be a per-message charge for every email you send. Just one more step into turning internet into the one-way broadcast media TV and radio are.

*PGP/GnuPG, anyone?

[ettlz]

And for those of us who already sign our e-mails and publish a public key, why doesn't PayPal simply distribute its public key block on its web-site, using HTTPS so that its integrity is maintained?

Re:How about just block emails from paypal?

[The+Cisco+Kid]

Someone one said "A fool and his money are soon parted".

Joe Sixpack needs to get off his ass, and actually learn something about the tool (yes its a TOOL, not a toy) he is using to send/receive REAL money to/from other people. If he is too lazy/ignorant/unmotivated to do that, then he will get ripped off, and its not ebay, paypal, or the government's job to protect him from his own stupidity.

Email is Stupid

[objekt]

I've said it before and I'll say it again; email is stupid. I freaking HATE email. It's mostly spam and is rarely useful.

I rely on forums and chats for 99% of my useful communications on the internet.

The whole concept of email needs to be redesigned, as others have pointed out.

Paypal should communicate with users through it's site, NOT through email.

Re:Email is Stupid

I rely on forums and chats for 99% of my useful communications on the internet.

Phew! I'm glad I'll never be communicating with you!

Re:Email is Stupid

[Bearhouse]

Half right. Email is very useful for what most use it for - communicating information and data that does need to be secure, or presents a low security risk. It should not be used for sensitive information - that is the problem. To summarise other posts here, trying to secure email seems to be too hard to do - log into secure site instead...

Re:Email is Stupid

[AnyoneEB]

Interesting, I do a lot of communication over the internet through e-mails. Maybe every internet user does not have exactly the same usage pattern.

Re:Email is Stupid

[Phroggy]

Many of us disagree with you.

I definitely want PayPal to continue sending me e-mail notification whenever it is appropriate to do so. I haven't gotten e-mail from PayPal in a long time, but if somebody sends me money for some reason, I definitely want them to send me an e-mail to let me know.

Re:How about just block emails from paypal?

I think he meant "impeach"

Re:GNAA FP

U R rite!

Re:How about just block emails from paypal?

[Jimmy+King]

Then they don't need domain keys, do they? They could just drop messages with paypal.com in the from address that fail SPF.

My understanding of the article is that using SPF might be considered a valid protection. DomainKeys is the only thing specifically mentioned but the article does say "several technologies". While SPF isn't digital signing, I wouldn't be surprised if it is included in that list. Basically asking providers to use one or more of a variety of technologies to help with the problem.

Except if you check closely, the messages probably didn't use paypal.com in the envelope sender; they probably only used it in the From header. This means that if the service blocked those messages then anybody agregating multiple email addresses in to one mailbox would see their messages fail at the forwarder.

Just to make sure I'm understanding you right (I'm pretty sure I am, but it's the Internet, communications go wrong sometimes), you mean as in if I had say 5 e-mail address and each of them forwarded the e-mail to me@myemail.com so that I could check them all in one place and my real paypal e-mails were being sent to one of those original 5?

If that's the case I'm guessing that Ebay/Paypal are just betting on there being a minimal amount of people doing that who are also going to be incapable or unwilling to just have paypal send stuff directly to their main address or work out some other technical solution if they've got enough control/access to the servers.

#1. Define your requirements.

[khasim]

but this is more than just one specific case.

Not really. It's "fraud". That's all.

even if paypal insituted a never-use-email policy, it wouldnt stop the phishing.

Correction: It would not stop the phishing attempts. It could stop the fraud from occurring. And that is the goal, is it not?

even if every financial institution used this policy, it would take a while before the public really understood that they should never trust an email from a financial institution.

Let me give you an example of how to end the fraud without worrying about the SMTP protocol.

A customer setups up an account with a financial institution (FI). The customer provides information such as a phone number.

For any online transaction to be completed, the FI will call that number and ask the person to approve the transaction amount. Failure to approve the amount will result in the transaction being denied.

It's as simple as that.

in the time it would take, we could probably develop a new SMTP that would stop the phishing and the spamming.

Possibly. But without defining the requirements you're pretty sure not to hit them.

SMTP works and is widely deployed. You'd have to replace a LOT of infrastructure ... just to POSSIBLY prevent fraud that is more easily preventable in other ways.

Re:#1. Define your requirements.

[GvG]

A customer setups up an account with a financial institution (FI). The customer provides information such as a phone number. For any online transaction to be completed, the FI will call that number and ask the person to approve the transaction amount. Failure to approve the amount will result in the transaction being denied.

Already being done over here. I set up a transaction via a web-based interface. My bank will send an SMS message containing the total transaction amount and a secret to a pre-registered phone number. To complete the transaction, I enter the secret into the web-based interface. Wish I had thought of this myself, I think it's pretty neat.

Re:How about just block emails from paypal?

[Jimmy+King]

Dammit, I hate when I forget to preview first. I missed a set of blockquote tags, so just in case that above post is unclear, here's where the second blockquote should have been.

Except if you check closely, the messages probably didn't use paypal.com in the envelope sender; they probably only used it in the From header. This means that if the service blocked those messages then anybody agregating multiple email addresses in to one mailbox would see their messages fail at the forwarder.

Just to make sure I'm understanding you right (I'm pretty sure I am, but it's the Internet, communications go wrong sometimes), you mean as in if I had say 5 e-mail address and each of them forwarded the e-mail to me@myemail.com so that I could check them all in one place and my real paypal e-mails were being sent to one of those original 5?

If that's the case I'm guessing that Ebay/Paypal are just betting on there being a minimal amount of people doing that who are also going to be incapable or unwilling to just have paypal send stuff directly to their main address or work out some other technical solution if they've got enough control/access to the servers.

The required. . .

[cadeon]

Your post advocates a

( x ) technical ( ) legislative ( ) market-based ( ) vigilante

approach to fighting spam. Your idea will not work. Here is why it won't work. (One or more of the following may apply to your particular idea, and it may have other flaws which used to vary from state to state before a bad federal law was passed.)

( ) Spammers can easily use it to harvest email addresses
( x ) Mailing lists and other legitimate email uses would be affected
( ) No one will be able to find the guy or collect the money
( ) It is defenseless against brute force attacks
( x ) It will stop spam for two weeks and then we'll be stuck with it
( x ) Users of email will not put up with it
( ) Microsoft will not put up with it
( ) The police will not put up with it
( ) Requires too much cooperation from spammers
( x ) Requires immediate total cooperation from everybody at once
( ) Many email users cannot afford to lose business or alienate potential employers
( ) Spammers don't care about invalid addresses in their lists
( ) Anyone could anonymously destroy anyone else's career or business

Specifically, your plan fails to account for

( ) Laws expressly prohibiting it
( ) Lack of centrally controlling authority for email
( ) Open relays in foreign countries
( ) Ease of searching tiny alphanumeric address space of all email addresses
( x ) Asshats
( x ) Jurisdictional problems
( ) Unpopularity of weird new taxes
( ) Public reluctance to accept weird new forms of money
( ) Huge existing software investment in SMTP
( ) Susceptibility of protocols other than SMTP to attack
( ) Willingness of users to install OS patches received by email
( x ) Armies of worm riddled broadband-connected Windows boxes
( x ) Eternal arms race involved in all filtering approaches
( x ) Extreme profitability of spam
( x ) Joe jobs and/or identity theft
( ) Technically illiterate politicians
( x ) Extreme stupidity on the part of people who do business with spammers
( x ) Dishonesty on the part of spammers themselves
( ) Bandwidth costs that are unaffected by client filtering
( ) Outlook

and the following philosophical objections may also apply:

( x ) Ideas similar to yours are easy to come up with, yet none have ever
been shown practical
( ) Any scheme based on opt-out is unacceptable
( ) SMTP headers should not be the subject of legislation
( ) Blacklists suck
( ) Whitelists suck
( ) We should be able to talk about Viagra without being censored
( ) Countermeasures should not involve wire fraud or credit card fraud
( ) Countermeasures should not involve sabotage of public networks
( ) Countermeasures must work if phased in gradually
( ) Sending email should be free
( x ) Why should we have to trust you and your servers?
( x ) Incompatiblity with open source or open source licenses
( ) Feel-good measures do nothing to solve the problem
( ) Temporary/one-time email addresses are cumbersome
( ) I don't want the government reading my email
( x ) Killing them that way is not slow and painful enough

Furthermore, this is what I think about you:

( x ) Sorry dude, but I don't think it would work.
( ) This is a stupid idea, and you're a stupid person for suggesting it.
( ) Nice try, assh0le! I'm going to find out where you live and burn your
house down!

Re:How about just block emails from paypal?

[Spazmania]

you mean as in if I had say 5 e-mail address and each of them forwarded the e-mail to me@myemail.com so that I could check them all in one place and my real paypal e-mails were being sent to one of those original 5?

Correct. Its a relatively common occurance: you have everything going to me@myisp.com but you start using me@gmail.com instead so you have your ISP forward everything that goes to me@myisp.com to me@gmail.com.

If that's the case I'm guessing that Ebay/Paypal are just betting on there being a minimal amount of people doing that who are also going to be incapable or unwilling to just have paypal send stuff directly to their main address.

Debatable, but even if it was perfectly true it doesn't open an avenue to a solution. The odds of Joe User noticing that the email really came from accounts@ppaypal.com aren't very good. After all, he already missed the fact that the url links to http://12323984378/steal/my/info.php.

Unless the provider uses domain keys or the like for ALL email (not just email @paypal.com) paypal's problem isn't addressed. That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

Keys are not the answer..

[eplossl]

Unfortunately, SPF and DomainKeys (DKIM) are not the answer to verifying mail. Currently, as has already been discussed thoroughly, the adoption rate for both of these among legitimate senders of mail has been abysmal. Those few who have adopted these tools are in the minority, and as a result, it is impossible to rely upon these tools as definitive proof that a message is legitimate.

Compounding this problem is the fact that there is NOTHING in place to stop spammers from setting up a SPF record or perhaps a DKIM record for their domain. Some do not, but there are enough who do to make it nearly impossible to either accept or discard email specifically based upon these tools.

Spam is notoriously hard to identify. Unfortunately, the only way to totally resolve this issue would be to develop some sort of method by which to identify legitimate senders and also to preclude people sending spam from being identified as legitimate. Given our current technology, this is not currently possible.

The only way I can think of to eliminate spam on the internet would be for the Internet community to completely discard the current email structure and completely overhaul it to include some sort of sender verification, along with non-spam verification of mail.

Re:Keys are not the answer..

[Blain]

Spam is hard to identify? I'm not sure what you're talking about. I've been using PopFile to sort my email for quite a long time, in both high-spam periods and low-spam periods, and it's been more than 99% accurate almost all of that time (more than 90% accurate within a week even on low volume with a little training). It took about three messages to train it to tell phish from spam.

I've been curious as to why providers like gmail and hotmail don't check to see if a message being sent to some threshold number of their users has an identical message body (or do a naive-Bayesian on the text, or whatever) as a way of responding to dictionary-attack spam (which I'm getting through gmail and yahoo on addresses that I don't circulate).

I've also been curious as to why there isn't some sort of large shared naive-Bayesian filter run by trusted individuals that can be used by major providers who want to use statistical analysis to filter their spam on a massive scale. Something that would work like Spamcop, with maybe a bit of Phishtank involved, only it would be based on the content of the message, rather than forgeable identifiers of the sources of the message which can be changed quickly through bot-nets. I was able to train above 99% accuracy with a few thousand messages at 50% spam -- yahoo, gmail or hotmail are dealing with millions in a day, so they should be able to get quite a few decimals on that 99% in a matter of hours, especially if they shared the results.

I think signed messages and certificates are a great idea and could be a helpful part of closing down opportunities for faked emails. If everybody used Enigmail, we could not only have signed messages with verified senders, we could even have email that was private (more secure than the current less-private-than-postcard system at the very least). When I talk to civilians about these kinds of things, though, I get eye-glaze very quickly on. I can usually scare them out of the eye-glaze when I tell them of the time I sent a response to an email that was sent to someone else before the original recipient had even read the message I was responding to (an acquaintence was running a packet-sniffer watching for the names of people he knew, and sent it to me because he thought I might want to know -- a one-and-only occurance), but then they go back to complacency because they've not been hurt by sending non-private email, so they don't care.

Re:Keys are not the answer..

>Unfortunately, SPF and DomainKeys (DKIM) are not the answer to verifying mail.

I see, so you think Domainkey and DKIM are the same thing... they are not...... DKIM has just been approved by the IETF, and will be an RFC. It is far superior to DK (domainkey), in that it gives domain assurance via 256 bit (default) encryption that authenticates the sending domain. Its features are far superior, even covering a mail timebomb which will only confirm assurance for a specific time frame. I have been running over 30 domains with DKIM for a long time now.

>Those few who have adopted these tools are in the minority, and as a result, it is impossible to rely upon these tools as definitive proof that a message is legitimate.

Of course it is in the minority, DKIM has just been passed... you will soon see Ebay, Earthlink, Google uses it now, and many major ISPS. They were all at the meeting in CA recently.

>Compounding this problem is the fact that there is NOTHING in place to stop spammers from setting up a SPF record or perhaps a DKIM record for their domain.

So what, there is nothing to stop you from setting up your DKIM policies to not lower the spam score, or to just ignore those domains you do not trust, treat them as spam, unless you say otherwise, you have that flexability... The policy statements are as you want them to be.....

I suggest you really find out what DKIM is...... it is not domainkey

http://www.dkim.org/index.html

and http://dkim.org/specs/draft-ietf-dkim-base-10.html

Re:Keys are not the answer..

[pw201]

Legitimate newsletters also have identical message bodies, so you can't merely look for those on their own to catch spam. That said, you can whitelist people who send you solicited bulk email, and then you've got something like the DCC, which is in use today. If we're talking specifically about dictionary attacks, recall that the recipients are specified before the message body is transmitted, and it's usual to reject unknown users at that early stage, as once you've been sent the body, there's then no way of saying "I accepted your message to A@example.com but not B@example.com".

Bayesian filtering is about learning what is interesting to you. If you average it over everyone's email, you'll actually get less effective at positively identifying the sort of ham (non-spam) mail that you get.

Every time there's a discussion here about spam, people talk about doing away with SMTP and replacing it with something enforcing certificates and signatures, the great white hope for email. Apparently, nobody's considered how this applies to one useful feature of email, namely the ability for people who've never contacted you before to send you email. Spammers can get themselves certificates just as easily as anyone else.

Paypal's idea is interesting. A quick look at news.admin.net-abuse.sightings shows a lot of Paypal phishing does purport to be from paypal.com, but as someone's already said, common mis-spellings are the obvious next step, at which point your certificates are useless (bonus points to the spammer who gets SPF, DKIM and whatnot up the whazoo for their paypa1.com domain).

Something that might be worth looking at is a format for out-of-band information to instruct mail clients to trust certain mail and distrust other mail which looks like it (the latter being where something Bayesian could come in). That way, when you sign up to Paypal on the web you get a blob of data which your mail client understands to mean that Paypal.com using this signing key may legitimately send you bulk email, and that mails which score highly for looking like Paypal mails but aren't should get flagged and filtered.

In any case, spam is a solved problem. Use DCC and Spamhaus Zen and then greylist (or just reject) connections from clients with no RDNS or with generic RDNS (4.3.2.1.isp.example.com for IP 1.2.3.4, say), and you're down to so little spam that it's not worth complaining about.

Re:How about just block emails from paypal?

[Goaway]

That would fine, except for not making any sense either.

Off by Default Paper

[Spezzer]

http://www.sigcomm.org/HotNets-IV/papers/ballani.p df

Re:How about just block emails from paypal?

[Jimmy+King]

Debatable, but even if it was perfectly true it doesn't open an avenue to a solution. The odds of Joe User noticing that the email really came from accounts@ppaypal.com aren't very good. After all, he already missed the fact that the url links to http://12323984378/steal/my/info.php [12323984378].

Unless the provider uses domain keys or the like for ALL email (not just email @paypal.com) paypal's problem isn't addressed. That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

Good points there. I definitely agree that it's not a perfect solution and could have some negative impact but do we really have any better options available right now (aside from joe user getting more intelligent about the internet, which I don't think we can really count on)?

And now, time for a meeting... bleh.

So why is paypal still *testing*??

[Russ+Nelson]

If you look at their _domainkey.paypal.com record, it looks like this:

_domainkey.paypal.com. 3600 IN TXT "t=y\; o=~"

The t=y value says that they're still just testing. According to the DomainKeys standard, that means that you're not supposed to take any action based on the result of checking the DomainKeys signature.

Re:How about just block emails from paypal?

[miskatonic+alumnus]

Where is he going to learn it?

If we consider the shabby level of education received by Joe-6-pack in the American school system, it's doubtful that the poor bastard is familiar with the most basic methods of research. If it ain't on television, he probably hasn't got a clue about it.

Over the decades our socio-economic system has moved in a direction that requires people to be increasingly dependent upon that system for nearly everything --- food, information, health care, appliance and automobile maintenance, etc. How many working stiffs have the time and skill to grow their own produce, medicate themselves, repair their electronic/mechanical equipment, do research on the web or (heaven forbid) a poorly stocked local library? And now you ask them to be technology experts? Sheesh!

But of course! (right..)

[Man+in+Spandex]

Um, no.

If you owned a company who's (almost) exclusive way of communicating with customers is by email, would you give it up and tell the millions who depend on Paypal that they'll receive receipts by the mailman? Yes their customer service is shit so I won't even try to sugarcoat that reality. Right let's send an email to customers in Africa, the receipt for a purchase shall come in by Air-Camel straight from UK!

Yes, fake paypal emails do look very similar sometimes to the real thing, but if you fall for it, you deserve it. When I worked at a gas station, I was just surprised at the number of customers who would not read the simple instructions at the gas pump when they wanted to pay at the gaspump, and then when something wrong happened they'd come at me inside and bitch that the machine sucks. Well fuck them, I'd tell them "Just read the instructions. They don't sucks, See that man on #4, he did it... so you can too, no?". Even better, they'd come inside, pick a pack of gum and ask me what's the price when the price tag is right there where they picked the fucking gum.

Theres always a pattern to fake emails. You have to use "just a bit" of common sense. The very first emails ebay and paypal send you, just like any other company that operates online is that they will never ask for your information and with paypal you should always manually type the site when in doubt, x.com doesn't take long to type now does it?

PayPal is shit but the options are pretty limited so we have to make an extra effort as customers to avoid the most issues.

Re:But of course! (right..)

[nosferatu1001]

Or have a "secure" email storage system on their website - you want your reciept, login the paypal website and retrieve from there.

not perfect, but would cut down on the bulk a little...

Errrr, this *is* an email signature

[Russ+Nelson]

This *is* an email signature system, only at the MTA level rather than the MUA level like PGP. The idea is to make mass adoption easier, since, as you say, it's the main difficulty. So get off your butt and get DomainKeys working!

Re:Errrr, this *is* an email signature

Russ,
Are you going to come up with anything for DKIM for qmail? I really like its implementation better than DK, e.g. mail time-bombs, where auth is good for x number of days, etc.. now that the IETF has approved it, and it will become an RFC, many large ISPs, including Ebay, and other large institutions will be going to it for domain authentication (or so they say from the last meeting in California)....

Re:Errrr, this *is* an email signature

[Russ+Nelson]

The theory is that libdomainkeys will handle DKIM transparently, so supporting DKIM in qmail-dk is free. Might not work that way, so if there are changes to the libdomainkeys API I'll change qmail-dk as needed.

Tries but fails

[Russ+Nelson]

The problem with SPF is that it's really easy to implement, and works really badly. DomainKeys is a real solution to the problem, but it's harder to implement because you can't munge the email (which various MTAs are prone to do).

Re:Tries but fails

[Milican]

Could you be more specific?

JOhn

Re:Tries but fails

[Matt+Perry]

The problem with SPF is that it's really easy to implement, and works really badly.

Hi Russ. Could you elaborate on this point? Why do you think that SPF "works really badly"?

Re: Tries but fails

[Dolda2000]

Since he does not seem to, let me take the chance to elaborate on that one. One of the greatest problems with SPF is that you can't forward messages, so SPF would mean the doom of mailing lists. To be more specific about the problem, if I send a mail to a list, it might come from me@foo.com, and in foo.com's SPF DNS record, I have stated the IP address for the mail servers from which mails are allowed to arrive. The mailing list may check that and be content, but then it forwards it to all its members, using its own mail server, which, of course, isn't recorded in foo.com's SPF record. Hence, all receiving hosts (that support SPF) will refuse the message.

DomainKeys doesn't have a problem with that, though. It signs the message body and a select choice of headers (by default, all headers below the DomainKeys header) with a private key (which is only known to the submit servers). The receiving host checks foo.com's DNS for the public key, and verifies the signature. Obviously, this works with mailing lists as well, since it doesn't matter from which mail server the message arrives. All which matters is that the signature can be verified with the public key in the From address' domain's DNS records.

Naturally, it isn't just mailing lists which run into problems. A lot of mail systems rely on forwarding.

Re: Tries but fails

[pbhj]

I'm probably wrong but I'd have thought a forwarded message had the sender and server set for the forward-er and not the original sender. What you refer to sounds like relaying or redirecting. Forward as attachment shouldn't look any different (from the headers point of view) than an email you originate.

So all a mailing list needs to do is forward a mail and not relay it?

Re: Tries but fails

[batkiwi]

But the message is no longer "from" you, it's "from" the server. That's why we have "x-originally-from" and "reply-to".

Paypal is Deceptive

[bill_mcgonigle]

I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing

Probably because Paypal is deceptive in their own mails. Here's an excerpt from a recent PayPal mail as rendered by MailScanner:

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be AllPosters.com

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be TigerDirect.com

Disney's Toontown
        Time Consumer Marketing

eBags

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be ZipZoomFly.com

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be ESPN.com

Now they have the hypocrisy to complain about others not jumping through hoops for their mail? Give me a break.

GNUPG

[Randseed]

Why the frak don't they just use PGP/GnuPG? Cripes.

Already is illlegal

[Russ+Nelson]

It's already illegal to enter premises where you know you're not invited, even if the door is open. Were it not for the fact that your premise is COMPLETELY WRONG, this would a great satire.

Re:How about just block emails from paypal?

[indifferent+children]

...medicate themselves...

They're willing to try. That's why the Dremel tools come with a warning, "This is not a dental tool."

Re:How about just block emails from paypal?

[Bassman59]

That means every mail server operator, even the home hobbiest ... Buy a fucking dictionary, will ya? (Or at least use Firefox and its built-in spell check.)

Sounds fair to me

[phorm]

I've gotten plenty of spams that look exactly like the paypal "you have paid X" emails. The only difference is that the site it links to is not paypal, but one intended to snarf your password.

It's always worth checking out when you get a notification that a possibly-fraudulant purchase has been made. In my case I just go directly to paypal in my browser (without using the link in the email) and check my account, but I'd bet a lot of people might get suckered by this one.

Is there a way to enable signature-checking for certain domains? I haven't really looked into it, but I'll gladly add a check for PayPal's sig to my Postfix/etc config files.

they need to 'hard fail all' in their SPF record

[marvinglenn]

The first thing they should do is change the "~all" to "-all" at the end of their SPF records.

paypal.com. 3600 IN TXT "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com include:spf-2._sid.paypal.com ~all"
paypal.com. 3600 IN TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

Re:How about just block emails from paypal?

[eli+pabst]

While I agree with you to an extent, if there are trivial measures that you can implement to stop this then why wouldn't you?

Plus many of the phishing scams are actually becoming rather complex. Many are now linking images directly from the targets website so that they look fairly legitimate and then use tricks like obfuscated javascript for the link to the phishing site itself so that a cursory "put mouse over link and see where it goes" isn't going to be a clear tipoff to joe sixpack.

Comment removed

[account_deleted]

Comment removed based on user account deletion

Re:How about just block emails from paypal?

[networkBoy]

If it ain't on television, he probably hasn't got a clue about it. If it ain't on television and sufficiently entertaining, he probably hasn't got a clue about it.
PBS has some very educational shows out there, but I would postulate that Joe goes "ewwww educational crap" and changes the channel faster than the speed of light. Any research Joe puts forth is likely how to delete the educational channel(s) from the TV's autoscan list (in a fit of irony).
-nB

"hobbiest"

[burndive]

I think he was referring to their hobbit-like smallness.

Re:How about just block emails from paypal?

[WoodstockJeff]

If there was a way to "know" that an email purported to be from paypal, most of these services would already block it due to Paypal's SPF records.

Not true - paypal.com and ebay.com both end their SPF record with "~all" (i.e., "softfail any address not listed"), which won't be bounced by most SPF implementations. Until they change it to "-all" (which they probably do because they're not really sure they've covered all machines that could send legitimate mail for paypal.com), you can not safely bounce improperly sourced messages. The same problem exists for hotmail.com/msn.com, and a great number of other domains that get regularly used for forged return addresses. gmail.com's SPF ends in "?all", or "neutral" - they don't care if a gmail.com address is spoofed.

Not to mention I'm getting spam through now that has forged DomainKey information...

Wait, that can't be possible!

[raehl]

SMTP is not only defective by design, but defective by requirement.

Nobody ever meets the design requirements!

Next you're going to tell me they were on schedule too!

Re:Wait, that can't be possible!

[Trillan]

And under budget, too! :)

(Thanks for the great laugh.)

A fool and his money shall soon part.

[Huh?]

There are no technical solutions for stupidity and/or lack of common sense.

Re:A fool and his money shall soon part.

[TropicalCoder]

"There are no technical solutions for stupidity and/or lack of common sense."

Why not? I don't agree at all. That is defeatist thinking. We do it all the time in small every day ways - such as - whenever we develop user interfaces for software. Any good software developer will check user input as far as possible for errors before allowing any action to be taken. For a tiny example, when the user clicks on Quit without having saved his data, we ask him "Quit without saving?" or something to that effect. A good software developer always thinks to protect the user from little mistakes - from his own "stupidity and/or lack of common sense" as you would say. Entire systems are developed with human fail-ability in mind. We take it up as a challenge to developed idiot-proof systems, because we are all idiots at one time or another - that is to say - we all make mistakes.

We - the engineers - put powerful and complex technologies into the hands of people who lack our knowledge of how to use it correctly. Then if a problem arises from this, it is wrong to blame the user. It is the fault of whoever developed the technology.

just use S/MIME

Jesus christ.

There is technology to digitally sign email with strong encryption, it has been around for ages. It is cross-platform, well-defined, and it works. It's cheap too.

Get some certificates signed by verisign or other CA, and do a little progamming.

It's not hard.

This is a BIG problem for paypal

When i cancelled my paypal account (because i didnt trust it anymore, due to the numerous scams we are talking about here) part of the cancellation process was answering a little questionaire. When it asks why... "too many fake paypal emails" was one of the options & I chose it. They then went into a lengthy description of all the efforts theyre making on this front which was not at all convincing. I cancelled the account & added paypal to my filter. Anything from them (or more likely, pretending to be from them) gets tossed straight into the shitter without me ever seeing it. No more worrying about is it real or not, no worrying about someone getting my password & taking my dough. Paypal creates way more problems than it solves for a lot of people, its just not worth the effort anymore.

If enough people do this its byebye paypal.

Re:SPF /DKIM

[darksoulz]

What MTA are you using? I have a fully working domainkeys system set up and working perfectly with 3 different domains on Exim.

Re:How about just block emails from paypal?

[btc9183]

Where is he going to learn it?

If we consider the shabby level of education received by Joe-6-pack in the American school system, it's doubtful that the poor bastard is familiar with the most basic methods of research. If it ain't on television, he probably hasn't got a clue about it.
If he hasn't got a clue about it, then he should not be using it. He can pay with a credit card like most everyone else. I agree that we shouldn't have to protect people from their own stupidity, but perhaps we should, in the form of a test. Present the potential PayPal (l)user with several emails, one of which is a fake. If the applicant can not identify the scam email, Denied!

Re:How about just block emails from paypal?

[Spazmania]

They're spell checker misses obvious obvious mistakes two.

I'm entitled to a spelling mistake now and again. Get over it.

No URLs

[labreuer]

Why not adopt the principle of not having any URLs in the email, and instead having users copy & past an alphanumeric string into some box on the paypal website? Alternatively, they could use something akin to Bank of America's SiteKey method, where an image is presented to the user to verify that the site is the desired site. Unfortunately, at least one study (I couldn't find it quickly) has noted that a significant portion (at least 25% and perhaps > 50%) of those who use such systems still enter in their password if the image is incorrect or missing.

Re:How about just block emails from paypal?

[Asgard]

The mere existence of a DomainKeys header does not mean the message is genuine -- you have to check the signature for validity. If you are getting spam that purports to be from a domain that it obviously isn't yet has a valid DomainKeys header, then that is a much bigger deal. I suspect in your case someone copied a header from a valid message. The header should process as invalid.

DomainKeys my A**

[l3v1]

Honestly, I don't want no companie's own e-mail verification system. People - yes, real people, and surprise surprise quite a lot of us - use GPG for signing and encrypting e-mails and everything else, and there are lots of freely usable keyservers out there. But hell would freeze over if any company with their bucks dropping out from their a**es would ever just use a proven, available and easy way of e-mail signing. Just give all your users keys and you're done, they don't even have to know they have one. But no, come people, use our DomainKeys. Yup, companies, the ones we love. Right.
 

Re:How about just block emails from paypal?

[hedwards]

No, this time it is better for everybody for paypal to win. As far as I am concerned anything which speeds up domain keys and similar technologies is a good thing.

Most servers should already be set up to deal with this request. The benefits are really something that extends beyond the portion of the internet that uses paypal. For instance those evil stock spams which the SEC and other regulatory agencies are trying to stamp out.

Re:SPF /DKIM

[eric76]

I don't trust SPF enough to rely on it much. The only thing I use it for is to look up specific domains and find out what e-mail servers they use so I can whitelist those to skip the graylisting.

But any so-called legitimate marketeer can create an SPF record for their domains.

If you want to see how badly spf can be abused by regular ISPs, look at the SPF record for panix.com:

panix.com text = "v=spf1 ip4:166.84.0.0/16 ip4:198.7.7.0/24 ?all"

I assume they just added their entire IP blocks to the SPF record which totally defeats the purpose as far as I'm concerned. Their SPF record is worse than useless.

So any customer of panix.com in those net blocks can have a trojan on their computer using an e-mail address from panix.com and trick you into thinking it is legitimate.

Nope. For those domains that we receive legitimate e-mail from, I'll use their SPF record to find out what their addresses are and add them to the whitelist. But that is as far as it goes.

Re:How about just block emails from paypal?

[jahudabudy]

Yeah, I spent a bit of time pondering that as well. I THINK he misspelled AND typoed "impeach" under the mistaken impression that it was the word "impede". Which almost fits in his sentence.

I spent WAY too much time trying to decide if imspeech was a new way of saying l33t sp3k3, and wondering what IM had to do with this. Meh, anything is better than work :-)

Re:SPF /DKIM

>We have spf for all our domains. DKIM is a pain if you have more than one domian, the dns bit is easy, the signing more iffy - result i gave up on dkim implementation.

No it isn't if you know what you are doing....... have all the domains use the same selector. A selector does not have to be a domain name....

>I found dkim to be a waste of time, spf however is not.

Wow... you have absolutely no idea what DKIM is or how to use it.

Re:How about just block emails from paypal?

[Spazmania]

You're missing the point. The email can be from "Paypal Accounting Department ." Joe User isn't going to notice the difference and there is no SPF record blocking anything from @[127.0.0.1].

Paypal only sees anti-fraud benefits if all email uses a third-party authentication service like Domain Keys. Then once the phishing is discovered you can go to the third party and find out who the key belongs to. Phishing theoretically becomes like robbing a bank without a mask: its relatively easy to catch the culprit.

Except if you follow through and imagine the phisher's next step, it really doesn't work out that way. They fraudulently register or steal other peoples' keys. So you exclude small businesses and home hobbyists from running email servers (domain keys are a somewhat beyond them). And you exclude anonymous email. Yet you don't actually realize a benefit.

Re:How about just block emails from paypal?

[kmac06]

Correct. Its a relatively common occurrence: you have everything going to me@myisp.com but you start using me@gmail.com instead so you have your ISP forward everything that goes to me@myisp.com to me@gmail.com.

Depends how it's done (and I don't know SMTP well enough to know for sure). Since your ISP has the whole e-mail, signature and everything, they could send it along unmodified to your Gmail account, which could then do the same authentication. Since nothing in the e-mail has changed, it would still be verified as the exact one sent from unsolicitedcreditcardoffer@paypal.com

DomainKeys

[DaMattster]

On its face, this seems like a good idea. But, there are bound to be problems related to interoperability with the various SMTP server implementations. Don't everyone groan at once when I mention M$ Exchange. I have thought of suggesting using OpenPGP but any joe blow could create a PGP public/private key-pair that purports to be from Paypal and use that key to send out phishing emails. I suppose Paypal could include a fingerprint of its key but I am not really sure. S/MIME might also be another option for digital signing.

Re:DomainKeys

[Ilgaz]

S/MIME would add 4 KB to every message and thousands of windows/webmail users jumping up and down saying "paypal sent me a virus named pkcs7".

In fact Yahoo explains why S/MIME is not useful for such functionality (the virus allegation is my experience here)

http://antispam.yahoo.com/domainkeys#a11

I would say enough is enough, if Google and Yahoo agreed, lets all agree on that technology along with SPF included and implement it.

My Shared hosting provider offers both on Xserve based system.

As you would guess, MS idiots are acting like "I am not playing" as usual and no sign of Exchange implementation nor hotmail.

Re:How about just block emails from paypal?

[Spazmania]

That's exactly the problem: they do send it on unmodified. Except now its coming from IP address 1.2.3.4 (mail.myisp.com) instead of from 5.6.7.8 (hacked.user.dsl.com). Its SPF's Achilles' heel.

Re:How about just block emails from paypal?

[SCHecklerX]

I just do what I do for every site that I use that requires mail addresses. Create an alias for them. If you are sending to my 'real' email address claiming to be from paypal. Bzzt!

I'm surprised most ISPs don't offer this type of anti-phishing technique for their customers. Pop a warning if the from: domain doesn't match who you made the alias for or something. Oops. Maybe I should patent that now...

Block all unsigned mail or just from paypal.com

[btempleton]

It is not clear in the article if Paypal is asking that sites block all mail that is not authenticated, or just unauthenticated mail that claims to be from paypal.com or related domains.

The latter would be fine. The former would require every user in the world to get a new mailer, certify themselves with authorities and end the ability of those who wish to communicate anonymously through email to do so even when parties are consenting.

The latter could be accomplished with keys that allow one signed email to declare "All future mails from this address or domain must be signed." You would need a key for a site to set the rule for the entire domain, a key for a user could set it for a single user.

However, even this may be misleading security. Once users become convinced that all mail from paypal.com is now signed, phishers can trick them more easily by sending mail from paypa1.com (that's a "one" not an "el") or similar games. This mail, from paypa1, can even trumpet how you know you can trust it because you know that all mail from us is authenticated with wonderful crypto.

Of course, paypal can try to get command of any domain that might look like theirs, in every character set, but sometimes when you tell people something is more secure, but it still has _any_ window into it, you actually create a greater danger of social engineering.

SpamAssassin 3.3.0

[Line_Fault]

According to http://www.mail-archive.com/dev@spamassassin.apach e.org/msg19513.html
Rules to block unsigned eBay/Paypal mail should be in place by version 3.3.0

No more net for you!

[p8nt]

Why don't we cut off internet access to Africa. I figure if someone actually needs it, then they can submit a request like we all do in the business world... and we all know how well that works. (Do we get karma for sarcasm?)

Calm down

[brunes69]

The whole point of these responses is because of one thing - we've heard it all before. "Oh I know how to stop spam... do X". I've been hearing this crap going on 15 years now.

Spam is a problem. Yes. Is it a problem that can be solved in any meaningful way? Likely not. At least not without removing nearly every single benefit email has.

There are lots of problems in this world that are not easily solvable. Spam is one of them. And until someone like you, actually DOES SOMETHING THAT WORKS, then all your spouting off about proposals and solutions is just blah blah blah to me. Show me some results, then I'll be impressed.

Re:SPF /DKIM

But any so-called legitimate marketeer can create an SPF record for their domains.

SPF isn't really for verifying emails as legitimate, it's more for verifying emails as illegitimate. With SPF, if you receive an email from a host that claims to be from domain example.com, and example.com has a TXT record indicating that the host is permitted to send mail, it might be a legitimate email, or it may just mean that the host has joined a zombie network that read the user's email configuration. (or the SPF record is too liberal, or they set it to not reject based on other addresses, or the host is "legitimately" sending spam, etc.)

On the other hand, if example.com has a TXT record indicating that the host is not permitted to send mail, then you know that the email is illegitimate.

Re:How about just block emails from paypal?

[kmac06]

That's the nature of the Internet. When I get a packet from my router, my router tells me it came from www.slashdot.org's IP address. It could easily have changed it, or completely made it up. That's where a "signature" comes in.

How I believe this signing process would work (or one example of it, anyway), is paypal uses a private key to encrypt the e-mail. Anyone can then use paypal's public key to decrypt it. They cannot, however, change the content of the e-mail and re-encrypt it, since they don't have paypal's private key. So your ISP gets the e-mail, sends the encrypted version on to gmail, which then unencrypts it using paypal's public key.

It's sort of the opposite of regular public key encryption: anyone can decode the message using the public key, but to create (or modify) a message, you need the private key.

Re:How about just block emails from paypal?

[miskatonic+alumnus]

What next? If a person can't keep from being killed, he shouldn't be alive in the first place? What's with this blaming the victim? How about we get some decent security as part of the e-mail infrastructure? How about we ramp up prosecution of these thieves?

I'll tell you a little story. Once I was operating a cash register, and got conned by a change-raising artist. How humiliating. I guess I shouldn't handle cash.

Identify authentication

[HomelessInLaJolla]

The most important thing that I see for preserving at least some semblance of verifying the source and intent of e-mail is the presence of a reliable chain of custody. The e-mail was received from this IP address, to this mail server, to this relay, to that relay, to this mail daemon, to be delivered to this account. Yes, this information can be spoofed to some extent, but it's sufficient in most cases to at least trace back to the first compromised system (in the case of outright spam/junk/phishing) or at least give a knowledgeable recipient some information to give credence to whether or not the sender might be who they claim to be.

With this in mind I'm really unhappy with Gmail. All mail that I've seen which comes from a Gmail account purports to originate from within the Gmail hive. At least Hotmail and Yahoo still preserve the IP from which the HTTP POST was made.

With respect to PayPal phishing e-mails, in particular, it's quite easy to look at the e-mail headers and say,"Heh. Nah. That doesn't even look close to legitimate."

Re:Identify authentication

With respect to PayPal phishing e-mails, in particular, it's quite easy to look at the e-mail headers and say,"Heh. Nah. That doesn't even look close to legitimate."

Gmail does that, it seems. My spam folder on Gmail is full of phishing emails. I've never yet had one appear in the legitimate mail folder.

What are the defects with SMTP?

[HomelessInLaJolla]

Seconded. SMTP is more than adequate to maintain a reliable and trustworthy e-mail system. The cases of abuse which I've seen have been proof of concept, red herring, or simple examples of incompetent administrators. Granted many of those administrators are end users with compromised home systems, or administrators who manage, say, 1500 desktops in an office building where ten or twenty of the hacked boxes are in broom closets someplace. That still isn't a flaw in SMTP.

Re:How about just block emails from paypal?

[Shatrat]

Someone one said "A fool and his money are soon parted".
I've heard this before, but I still don't understand how you can repartition money. Aren't notes and coins atomic?

Not interested.

1) Are they paying me to implement their fix to their problem?
2) Have they started taking reports from people who find the fraud scams, then responding with the results of what they have done?
3) Do they have a working customer support system?

When the answer to the above is YES, then I might start caring.

Otherwise, it strikes me as THEIR problem, not mine.

Re:How about just block emails from paypal?

[networkBoy]

It's fugly.
I'll see if I can get around to tidying it up a bit first
-nB

Re:How about just block emails from paypal?

[Fulcrum+of+Evil]

That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

I'm just a hobbier, not a hobbiest. Of course, public key stuff means you just have to generate a keypair and put the public one in your domain record.

Re:PayPal? What about the parent company, eBay?

[5pp000]

How did the Nigerian try to defraud you?

Re:SPF /DKIM

[vux984]

But any so-called legitimate marketeer can create an SPF record for their domains.

Right, but a properly set up SPF record means OTHER people have a trouble spoofing 'so called legitimate marketeer'. So if you get a message from 'so called legitimate marketeer' and he's set up an SPF record you are reasonably assured that the message isn't from someone else trying to spoof being from 'so called legitimate marketeer'.

If the value of that isn't clear consider the normal spf use-case scenario:

Let's say "yourdomain" is a 'paypal' or an 'ebay' or a bank and you've set up SPF properly.

Then if the guy at marketeer.com or even bot-103455 of some botnet sends someone an email claiming to be from "yourdomain" then the recipient can safely and automatically discard those messages because they are coming from a mail server you at "your domain" didn't authorize.

Thus the only way users using SPF are going to get spam from "yourdomain" is if:
1) YOU spam them
2) YOUR mail server has been compromised and spammers are using it, in which case you have a chance to fix it.
3) one of YOUR users, who is authorized to use YOUR mailserver has been compromised and spammers are using that host to send spam. (e.g. bot-103455 happens to actually be one of your own users)

This puts spam control in your hands. It doesn't protect end users from spam in general, but it does give you significant control over whether they have to receive spam from "yourdomain".

The biggest weakness in SPF, in my opinion, is that it doesn't help you against typosquatter domains. If I own paypal.com and set up SPF correctly, there is still nothing stopping a spammer from spoofing paypals.com, which won't get blocked by SPF. So a user might still be fooled by a spoof email if they don't observe that the domain name being spoofed isn't quite right in the first place.

NOT because of phishing

[mrshowtime]

This latest B.S. ploy has nothing to do with protection of innocents via phishing scams. It has everything to do with eBay's overzealous "Big Brother" attitude. Ebay and Paypal have been actively tracking users, logging every single detail about what their users do for the better part of a decade. Essentially ebay wants email service providers to subsidize the cost of ebay tracking their own users via secured email.

LINKS, not emails

[zCyl]

How about Paypal just gives up sending email?

The problem is very simple. Websites like Paypal should NEVER send a link in an email message which asks for any information to be submitted, and they should announce this policy clearly to their users. If people are going to submit login or other information, they should always use a bookmark or type the url themselves. If everyone followed this protocol, phishing would be impossible.

We've been through this before

[Beryllium+Sphere(tm)]

Coins, money, checks and stock certificates have all been forged. One option would have been blaming the victims. Instead the industries involved developed anti-forgery technology and deployed it.

Today email is being forged for criminal gain. The anti-forgery technology already exists. Paypal is negotiating with their business partners to get it deployed.

We all benefit from closing off easy opportunities for crime. Blaming the victim doesn't work very well in the case of a pharming attack anyway.

Re:How about just block emails from paypal?

[MBGMorden]

Please. I went to a public school South friggen Carolina. We were (at the time) ranked one of the lowest states in education nationwide. Did I have some trouble transitioning into college course? A little, but I did fine in the end. Could the education have been better? Yes. That being said, people make WAY too much fuss over how "bad" the education system is in the US. I might have a shotgun and a pack of hunting dogs, but I also know very well what String Theory and Hawking Radiation are :). We had pretty decent classes in Calculus, Chemistry, Biology, Physics, History, and just about any other subject matter you could want. We were even taught about, *gasp*, evolution in our Biology classes.

The issue isn't that the schools don't offer a good education: it's that they don't force you into it. Our classes were divided into several categories: Tech Prep (stupid), College Prep (regular), Honors (intelligent), and AP (very intelligent). You were free to take any of these you wanted to. Take the Honors and AP stuff and you'll come out with a decent education. Take the Tech Prep stuff and you'll come out knowing how to read and write (poorly) and that's about it.

Sadly, many, many American students take the "stupid" route; not because of the education system, but because of our warped cultural mindset. Being smart is seen as a negative attribute. It's "uncool", with anyone who cares to think being labeled a "nerd", "geek", or any of a number of negative names.

You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.

Now that I've said something to praise the American education system, I wonder how long it will be before the grammar Nazis descend onto my post to try and prove it wrong by means of bad grammar? :D

itsatrap

[suggsjc]

How do we know the letters that were sent to the service providers weren't spoofed by scammers???

Maybe the scammers have setup their own "DomainKeys" or whatever that Yahoo thingie is? Then who'd be laughing? Well, I guess probably somebody over in Nigeria, or possibly ~37 kids down in a basement in Oregon...but then again who am I to speculate?

Re:itsatrap

[mysidia]

Phishers could setup their own domain keys... but if they can't make their domain look convincing it wouldn't help.

I pose there should be a `X-Verifiably-From' mail header containing an e-mail address, which any site owner could insert, and mail servers/mail clients would be programmed to either strip off the header and insert a warning or just block the message, if the message wasn't signed with domainkeys for the verifiably-from address, OR if the address doesn't match stringent guidelines, or doesn't match the From address.

To stop phishing, there would be another catch.. name formatting; to be verifiable, the e-mail address shown in the header would be required to be all uppercase, all characters would have to be alphanumeric characters in the standard ASCII character set. Due to the possibility of confusing 1 with I, or 0 with O, the numbers 0 and 1 would not be allowed to be contained in the DOMAIN part of the e-mail address, but would be permitted in any subdomain part.

I.E. X-Verifiably-From: FISHYJOE@node1.MYSITE.COM would be ok

I.E. X-Verifiably-From: FISHYJOE@node.MYS1TE.COM would NOT be ok

Unfortunately, if you chose to use the numeral 0 or the numeral 1 in your domain name, you could not use this technology. But there's a simple solution (register a new domain to send e-mail from)

Re:How about just block emails from paypal?

[suggsjc]

That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

Yes, but no.
Only the mail server operators that want to prevent phishing scams targeting PayPal would have to implement "some third-party authentication."

I understand what you are saying, and coming up with a solution that only solves a very specific problem (or subset or a problem) isn't very efficient. But if the big players like google, yahoo, microsoft all did it, then for a relative modest investment it could protect quite a few people from basic attacks.

Re:SPF /DKIM

[eric76]

I do understand what SPF is supposed to do, but what I am saying is that what it does combined with the way people set up their records, it is pretty much useless to me.

Consider the panix.com SPF record above. Assuming that the IP addresses covered include their whole domain and the presence of the "?all", what they are saying is that any e-mail with a return address of panix.com should be treated as legitimate.

Then there is the "~all" SOFTFAIL. So you might reject those or you might not, depending on how hard-assed you want to be about it.

If the only option was "-all" and only known, identified, legitimate SMTP servers could be listed, I'd be more impressed. If you're going to use "~all" or "?all" in the record, then you might as well not even bother creating the record. And listing your entire address block or blocks is just plain silly.

For what it's worth, we do have SPF records with "-all". It doesn't seem to have cut down on bounces of spams with forged e-mail addresses at all.

Re:How about just block emails from paypal?

[asninn]

Nobody says you've got to be perfect or that you always have to succeed, but you should at least try and make an effort. For example, when you operate a cash register, you don't tell customers "take whatever you need, I'll trust that you're not going to cheat me and take more than I owe you"; rather, you acknowledge that not everyone's honest and try to take reasonable precautions so bad things won't happen. It might not work (you still might get cheated, robbed or whatever), but that's not an excuse for not trying.

Re:How about just block emails from paypal?

[miskatonic+alumnus]

That being said, people make WAY too much fuss over how "bad" the education system is in the US.

I'm in a position to criticize this education system, having spent 12 years attempting to teach mathematics (including remedial mathematics) to its graduates. I've spoken with the students and their previous instructors, and determined that their public school teachers don't understand the material they "teach". My colleagues who teach history, art, biology, political science, and English say the students do little better in those areas. So yeah, the schools suck --- except when it comes to sports, of course.

You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.

Here's the rub --- in order to make an informed, rational, intelligent choice you have to be educated. It's a vicious circle: bad decisions lead to ... more bad decisions. You can't bootstrap yourself from an illiterate, innumerate dunce to a Bill Gates or Einstein without a proper support network. Some are capable of doing more with less, but you can't just throw a computer or a book at a child, say "Teach thyself!" and expect good results.

Re:How about just block emails from paypal?

[holomorph]

yea, aliases are (in theory) nice for this (then you know who's giving away your address too). The problem is, when you sign up for an account, a lot of places will tell you the email address you entered is not valid (because of the + in the address I presume). This causes a bit of a problem, unless your mail provider uses some other type of aliases that don't get rejected (I'm using gmail where aliases are of the form 'username+whatever@gmail.com')

Re:SPF /DKIM

[sjwest]

postfix - multiple instances of each on an public ip but on one machine, lots of spam garbage filters - while it might be possible its a pain for very little payback.

Thats another eight high ports open (inbound and outbound) where i think i have to filter one process chain into another aka sign->spam-check->send-here->then-here. we got stuck with postfix in outbound message signing before. The second domain got the dkim signature for domain 1 which is wrong.

nice idea - crap outbound message signing implementation.

Poppycock!

Are you fucking kidding me? You can't tell a cop no under any circumstance!

Some people say we have rights - that's great. I wonder how wonderful it feels exercising their rights while they're being tasered.

Re:SPF /DKIM

[sjwest]

Said the coward to the fool

Doing one of something is easy, even i could get dkim working with one - but doing many means things don't work or play happy with the other things the mail interacts with. Im a fool, but then there was an emperor once who wore no clothes.

Re:SPF /DKIM

[vux984]

I do understand what SPF is supposed to do, but what I am saying is that what it does combined with the way people set up their records, it is pretty much useless to me.

But SPF does what its supposed to do. It gives you a way of allowing OTHER people to differentiate between spam and legitimate mail from your domain name. That is a huge benefit, even if most of them aren't doing it ... yet.

The fact that you receive bounces of spams with forged email addresses just tells us that most mail servers aren't configured to check SPF properly. If they did, they could discard those messages as spam instead of bouncing them.

SPF isn't a failure, nor is it useless. But it requires wide-scale deployment to make any real dent in mail spoofing on the internet at large, and really it only prevents spoofing, not spam itself.

As for your panix domain example, that amounts to a pretty lame SPF record, and suggests they only have SPF to prevent getting rejected for not having SPF (which is a small step in the right direction at least), but they currently haven't taken the required steps to allow you to detect spoofing of their domain name. This is only REALLY a problem if their domain is getting spoofed to a relevant degree.

A domain like paypal, or ebay, or a bank has a big interest in giving mail admins the tools to detect spoofed mail from their domains, the average company, while they -do- likely have an interest in stopping spoofing of their domain, but have likely not been seriously afflicted with spoofing, and so don't simply care overmuch. Which of course, doesn't do mail admins like you any favours. But really, how much panix.net spoofed mail do you actually get, and is it really negatively affecting panix.net that you got it (beyond making their mail admin look like a lazy/incompetent twit)?

Point is SPF is an excellent anti-spoofing technology, and it works very well. It will never be successful as an anti-spam technology, because, as you yourself said, there is nothing stopping spammers from creating SPF records.

Re:How about just block emails from paypal?

[rainman_bc]

How dare they do this, imspeech the people sending emails to me(scammer or not)

Sorry, but insightful? Mods are you on crack today? He was making a joke... ( You were making a joke right ? )

=D

Re:SPF /DKIM

[darksoulz]

That's one reason I quit using postfix awhile back. I hated having to either relay via socket out to another program, and then having it inject it back into postfix. I can definitely see where this would be a pain as well.

They also do RFC4408 (SPF)

[CustomDesigned]

A legitimate paypal email:

2007Mar26 16:41:56 [6720] Received-SPF: Pass (mail.bmsi.com: domain of
paypal.com designates 216.113.188.96 as permitted sender)
client-ip=216.113.188.96; envelope-from="payment@paypal.com";
helo=outbound2.den.paypal.com; receiver=mail.bmsi.com;
mechanism="include:c._spf.ebay.com"; identity=mailfrom

A forgery:

2007Mar26 20:11:23 [7934] REJECT: SPF softfail 250 SPF fail: see
http://openspf.org/why.html?sender=paypal-acc ount@paypal.com&ip=64.163.170.34

This allows the forgeries to be rejected at MAIL FROM. A lot more efficient than receiving the entire message body, doing a crypto hash and public key cryptography, and then throwing all the work away with a reject.

The drawback with SPF is that to work properly the receiver needs to know who they have set up as forwarders - something Joe Sixpack probably has no clue about, and therefore his ISP has no clue either since Joe Sixpack signed up with the forwarder. So this makes checking SPF difficult for a big email service provider.

Another problem is that when a phish uses another MAIL FROM, Joe Sixpack won't notice that although the "From" header field says paypal, the "Sender" field is quite different (and yes, Outlook and other mass market email clients display this clearly):

2007Mar28 13:28:55 [5043] Received-SPF: None (mail.bmsi.com: 200.123.148.2 is
neither permitted nor denied by domain of nuva1.nuvanet.com)
client-ip=200.123.148.2; envelope-from="nobody@nuva1.nuvanet.com";
helo=nuva1.nuvanet.com; receiver=mail.bmsi.com; mechanism=a/24;
identity=mailfrom; x-bestguess=pass;
2007Mar28 13:28:56 [5043] Subject: Your PayPal account will be suspended !
2007Mar28 13:28:56 [5043] X-Mailer: PHP / 4.3.5
2007Mar28 13:28:56 [5043] From: service@paypal.com
2007Mar28 13:28:56 [5043] NOTE: Supplying MFROM as Sender
2007Mar28 13:28:56 [5043] Sender: <nobody@nuva1.nuvanet.com>

In any case, they support *multiple* authentication methods. So take your pick. There really is no reason to pass on the forgeries.

Re:How about just block emails from paypal?

[Joseph+User]

Debatable, but even if it was perfectly true it doesn't open an avenue to a solution. The odds of Joe User noticing that the email really came from accounts@ppaypal.com aren't very good. After all, he already missed the fact that the url links to http://12323984378/steal/my/info.php.

Maybe I'm missing something, but I can't get your link to work.

exim4 HOWTO please

If they are asking us to do this, why don't they show us HOW, and hire some programmers to enable these features in exim4?

How can we talk to management?

[Joseph_Daniel_Zukige]

I've told them the solution is to get the account access off of the universal browser and onto special purpose browsers they build themselves, but no one listens.

It's still the days of snail mail in many parts

[Joseph_Daniel_Zukige]

In Japan, it is not uncommon to get a phone call or post card from someone claiming to be, for instance, a family member in trouble and in need of quick cash.

It's surprising how many people don't check first, and to the tune of hundreds of thousands of dollars at times.

The problem is not unique to the 'net.

The solution is special purpose browsers that the financial institutions provide their customers, which browsers do one thing only. (Well, okay, one kind of thing.) Connect to the bank and manage the user side of the account.

Asymmetric keys that the bank provides to the browser or the browser just does not connect. And the user calls the bank on the phone to let them know there might be an attack in progress. (Well, most users will think they are just complaining that the "browser doesn't work", but the guys at the bank are instructed to call the sysadmin any time a customer has trouble connecting.

Okay, to make it solid the banks would need an auxiliary domain name confirmation system (with asymmetric keys, yes) and the customers would need their own sets of asymmetric keys and maybe one-time pads that the pick up directly from the branch office, stuff like that, but the custom browser enables that.

Re:It's still the days of snail mail in many parts

[Yer+Mom]

The solution is special purpose browsers that the financial institutions provide their customers, which browsers do one thing only. (Well, okay, one kind of thing.) Connect to the bank and manage the user side of the account.

Of course, knowing the average bank, that would mean only Windows users would be able to bank online. Not a good solution.

Re:How about just block emails from paypal?

[The+Cisco+Kid]

There are *not* trivial measures. You cannot mandate that every email reader/client in the world implemented any particular verification scheme. If its so trivial *you* do it. Heck, feel free to begin how to detect if a message 'looks' like a paypal message (but isnt really).

Its not that it would be so difficult to verify that a particular message really is from paypal. However, thats solving the wrong problem. You have to be able to detect the ones that 'Joe Sixpack' is going to *think* are from Paypal but are not. The other option is for Joe Sixpack to learn to actually verify each message that he thinks are from paypal, really are.

Paypal calls you by name

[Slashdot+Parent]

One thing that paypal has done to try to help is that they always call you by name when they send you email. So if you get email that says, "Dear Sir" or "Dear Customer" or something like that, you can count on it being fake.

Of course, even if it calls you by your real name, a phisher could have harvested it from somewhere else, so it's no guarantee. But you can safely /dev/null any email from paypal that doesn't contain your name.

Client written in Java

[Joseph_Daniel_Zukige]

True, Java has some issues with the temptation to do whatever the latest fad in dev management is, but as far as building a cross-platform browser sufficient to access your bank account securely, it would work.

With bouncycastle, of course.

Hmm. I suppose I should check whether bouncycastle is functional with the current gcj before I get too enthusiastic.