Slashdot Mirror
PayPal Asks E-mail Services to Block Messages
roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""
What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.
How about Paypal just gives up sending email?
I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?
If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.
More Twoson than Cupertino
I'm sick of people entering my house through the open front door while I'm away, and stealing all my stuff. I want to make it illegal for people to just walk through open doors.
I know, you're thinking "why don't you just do something about your open front door?" But dammit, I've based my entire security model around having my front door open at all times, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather make it everyone else's problem instead.
Slashdot Burying Stories About Slashdot Media Owned
The issue here seems to be spam/phishing. I wonder if it's time to develop something like SMTP 2.0... an equivalent to a "new" e-mail system completely separate from the current one. Maybe it should have centrally managed servers for stricter authentication? Is the current system defective by design or just in need of some updated techniques?
Because hovering over the link in the mail is hard?
"Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
Why don't major financial insititutions all create a coalition that does exactly this. This coalition would issue signing certificates for the various members, who will then sign all of their email.
All that mail hosts would need to do is verify that the mail was signed by a valid certificate that was issued by the coalition. One certificate to verify against. The coalition can then issue revocation lists as necessary if a member's certificate is ever comprimised.
Seems like an ideal solution to reduce phishing. It could also be used by other organizations who could have their email signed in a similar way, which might allow these messages to bypass spam filters which would benefit the mail hosts.
I think of it as a way to implement a pseudo whitelist, which is by far the best way to ensure that you don't get spam.
Sometimes the best solution is to stop wasting time looking for an easy solution.
This is a great idea, but hard to enforce. Most people let anything and everything get to their systems because they don't want to miss that ONE KEY EMAIL~ and really, you're entrusting end-users with PGP. That's what it sounds like to me, and if that's the case, this has little chance of working in practise.
Let's stop dilly-dallying and just change "-1: Overrated" to "-1: Disagree" or "-1: Doesn't Subscribe to Groupthink".
I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.
Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.
I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.
The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.
Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.
-brian
Someone one said "A fool and his money are soon parted".
Joe Sixpack needs to get off his ass, and actually learn something about the tool (yes its a TOOL, not a toy) he is using to send/receive REAL money to/from other people. If he is too lazy/ignorant/unmotivated to do that, then he will get ripped off, and its not ebay, paypal, or the government's job to protect him from his own stupidity.
I've said it before and I'll say it again; email is stupid. I freaking HATE email. It's mostly spam and is rarely useful.
I rely on forums and chats for 99% of my useful communications on the internet.
The whole concept of email needs to be redesigned, as others have pointed out.
Paypal should communicate with users through it's site, NOT through email.
-- Boycott Shell
you mean as in if I had say 5 e-mail address and each of them forwarded the e-mail to me@myemail.com so that I could check them all in one place and my real paypal e-mails were being sent to one of those original 5?
Correct. Its a relatively common occurance: you have everything going to me@myisp.com but you start using me@gmail.com instead so you have your ISP forward everything that goes to me@myisp.com to me@gmail.com.
If that's the case I'm guessing that Ebay/Paypal are just betting on there being a minimal amount of people doing that who are also going to be incapable or unwilling to just have paypal send stuff directly to their main address.
Debatable, but even if it was perfectly true it doesn't open an avenue to a solution. The odds of Joe User noticing that the email really came from accounts@ppaypal.com aren't very good. After all, he already missed the fact that the url links to http://12323984378/steal/my/info.php.
Unless the provider uses domain keys or the like for ALL email (not just email @paypal.com) paypal's problem isn't addressed. That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.
Moderating "-1, Disagree" is simple censorship. Have the guts to post your opinion.
Unfortunately, SPF and DomainKeys (DKIM) are not the answer to verifying mail. Currently, as has already been discussed thoroughly, the adoption rate for both of these among legitimate senders of mail has been abysmal. Those few who have adopted these tools are in the minority, and as a result, it is impossible to rely upon these tools as definitive proof that a message is legitimate.
Compounding this problem is the fact that there is NOTHING in place to stop spammers from setting up a SPF record or perhaps a DKIM record for their domain. Some do not, but there are enough who do to make it nearly impossible to either accept or discard email specifically based upon these tools.
Spam is notoriously hard to identify. Unfortunately, the only way to totally resolve this issue would be to develop some sort of method by which to identify legitimate senders and also to preclude people sending spam from being identified as legitimate. Given our current technology, this is not currently possible.
The only way I can think of to eliminate spam on the internet would be for the Internet community to completely discard the current email structure and completely overhaul it to include some sort of sender verification, along with non-spam verification of mail.
This *is* an email signature system, only at the MTA level rather than the MUA level like PGP. The idea is to make mass adoption easier, since, as you say, it's the main difficulty. So get off your butt and get DomainKeys working!
Don't piss off The Angry Economist
Probably because Paypal is deceptive in their own mails. Here's an excerpt from a recent PayPal mail as rendered by MailScanner:
Now they have the hypocrisy to complain about others not jumping through hoops for their mail? Give me a break.
My God, it's Full of Source!
OUTSIDE_IP=$(dig +short my.ip @outsideip.net)
It's already illegal to enter premises where you know you're not invited, even if the door is open. Were it not for the fact that your premise is COMPLETELY WRONG, this would a great satire.
Don't piss off The Angry Economist
While I agree with you to an extent, if there are trivial measures that you can implement to stop this then why wouldn't you?
Plus many of the phishing scams are actually becoming rather complex. Many are now linking images directly from the targets website so that they look fairly legitimate and then use tricks like obfuscated javascript for the link to the phishing site itself so that a cursory "put mouse over link and see where it goes" isn't going to be a clear tipoff to joe sixpack.
What next? If a person can't keep from being killed, he shouldn't be alive in the first place? What's with this blaming the victim? How about we get some decent security as part of the e-mail infrastructure? How about we ramp up prosecution of these thieves?
I'll tell you a little story. Once I was operating a cash register, and got conned by a change-raising artist. How humiliating. I guess I shouldn't handle cash.
1) Are they paying me to implement their fix to their problem?
2) Have they started taking reports from people who find the fraud scams, then responding with the results of what they have done?
3) Do they have a working customer support system?
When the answer to the above is YES, then I might start caring.
Otherwise, it strikes me as THEIR problem, not mine.
Please. I went to a public school South friggen Carolina. We were (at the time) ranked one of the lowest states in education nationwide. Did I have some trouble transitioning into college course? A little, but I did fine in the end. Could the education have been better? Yes. That being said, people make WAY too much fuss over how "bad" the education system is in the US. I might have a shotgun and a pack of hunting dogs, but I also know very well what String Theory and Hawking Radiation are :). We had pretty decent classes in Calculus, Chemistry, Biology, Physics, History, and just about any other subject matter you could want. We were even taught about, *gasp*, evolution in our Biology classes.
:D
The issue isn't that the schools don't offer a good education: it's that they don't force you into it. Our classes were divided into several categories: Tech Prep (stupid), College Prep (regular), Honors (intelligent), and AP (very intelligent). You were free to take any of these you wanted to. Take the Honors and AP stuff and you'll come out with a decent education. Take the Tech Prep stuff and you'll come out knowing how to read and write (poorly) and that's about it.
Sadly, many, many American students take the "stupid" route; not because of the education system, but because of our warped cultural mindset. Being smart is seen as a negative attribute. It's "uncool", with anyone who cares to think being labeled a "nerd", "geek", or any of a number of negative names.
You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.
Now that I've said something to praise the American education system, I wonder how long it will be before the grammar Nazis descend onto my post to try and prove it wrong by means of bad grammar?
"People who think they know everything are very annoying to those of us who do."-Mark Twain
Only the mail server operators that want to prevent phishing scams targeting PayPal would have to implement "some third-party authentication."
I understand what you are saying, and coming up with a solution that only solves a very specific problem (or subset or a problem) isn't very efficient. But if the big players like google, yahoo, microsoft all did it, then for a relative modest investment it could protect quite a few people from basic attacks.
When I have a kid, I want to put him in one of those strollers for twins and then run around the mall looking frantic.
That being said, people make WAY too much fuss over how "bad" the education system is in the US.
... more bad decisions. You can't bootstrap yourself from an illiterate, innumerate dunce to a Bill Gates or Einstein without a proper support network. Some are capable of doing more with less, but you can't just throw a computer or a book at a child, say "Teach thyself!" and expect good results.
I'm in a position to criticize this education system, having spent 12 years attempting to teach mathematics (including remedial mathematics) to its graduates. I've spoken with the students and their previous instructors, and determined that their public school teachers don't understand the material they "teach". My colleagues who teach history, art, biology, political science, and English say the students do little better in those areas. So yeah, the schools suck --- except when it comes to sports, of course.
You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.
Here's the rub --- in order to make an informed, rational, intelligent choice you have to be educated. It's a vicious circle: bad decisions lead to