Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Asks E-mail Services to Block Messages

Posted by CmdrTaco on from the at-least-they're-honest-about-it dept.

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""

6 of 222 comments (clear)

  1. Re:How about just block emails from paypal? by networkBoy · · Score: 2, Interesting

    Fair enough.
    I run a script that loads their page mercilessly and attempts to log in through their proxy/spoof with random credentials.
    It's a practice that's gotten me DOS'd more than once.

    But your average joe sixpack is susceptible to these scams, and as such I like what ebay corp. is attempting to do.
    -nB

    --
    whois gawk date unzip strip find touch finger mount join nice man top fsck grep eject more yes exit umount sleep dump
  2. The funny part by Lumpy · · Score: 2, Interesting

    Most paypal and ebay scam emails DON'T look legitimate. Most are so poorly formed they stand out as fake. From address is wrong, subject is formatted very differently etc... Anyone that uses Paypal regularly can easily see how bad of a job the scammers do in the fake emails.

    Problem is, they are taking advantage of the fact that people like me make up 10% of the total population, the rest fall for it because they don't take the time to be careful.

    --
    Do not look at laser with remaining good eye.
  3. Re:Digital signature is the correct approach by starfishsystems · · Score: 2, Interesting
    Right. I think you're saying that Paypal signatures can only help with verifying Paypal domains, not domains that might to a casual observer look like Paypal domains. I agree with the implied conclusion that signed email don't eliminate this particular type of phishing scam.

    Signed email does, however, eliminate the presently very common and significant type of scam that depends on forging emails from legitimate domains.

    Signed email also provides an effective basis for spam control, so I have to disagree with you on the point that spam recognition is hard. It's only hard because, at present, it depends entirely on content analysis. If we could make it depend on originating address, because the message signature lets us verify this address, then we could filter without regard to content.

    The critical difference is that filtering can now be done reliably. You either filter messages that match a certain address pattern or you don't. So the filtering problem becomes "just" a question of granularity. In other words, if my filter is set up to accept everything from the Paypal domain, and not every Paypal user is well behaved, then I'll see some amount of spam coming through perhaps. But I can then choose to reliably filter out individual addresses which I find bothersome, or I can train a Bayesian filter to do it for me.

    On a larger scale, suppose you're right and Paypal tries to leverage the strength of its digital signatures to deliver spam content, to the point that a significant amount of Paypal message traffic becomes spam. What do you think will happen then? MTAs will start to filter the entire domain. And because of the signatures on such traffic , they will be able to do so reliably.

    --
    Parity: What to do when the weekend comes.
  4. DomainKeys by DaMattster · · Score: 2, Interesting

    On its face, this seems like a good idea. But, there are bound to be problems related to interoperability with the various SMTP server implementations. Don't everyone groan at once when I mention M$ Exchange. I have thought of suggesting using OpenPGP but any joe blow could create a PGP public/private key-pair that purports to be from Paypal and use that key to send out phishing emails. I suppose Paypal could include a fingerprint of its key but I am not really sure. S/MIME might also be another option for digital signing.

  5. Re:Even better by Anonymous Coward · · Score: 3, Interesting

    My bank sends a couple types of emails. One is a "A statement for your account ending in XXXX has been posted."

    Another is "We have sent you a secure message. Log into your account to see it."

    The emails are only text, and they never have a link to the bank's website. The two sentences I have quoted above are pretty much the entire contents of the emails.

    The bank has trained me that if they have something to tell me, I should go to the site on my own and log into my account like I would for anything else. No HML mail, no links that could possibly be misleading, nothing.

  6. We've been through this before by Beryllium+Sphere(tm) · · Score: 2, Interesting

    Coins, money, checks and stock certificates have all been forged. One option would have been blaming the victims. Instead the industries involved developed anti-forgery technology and deployed it.

    Today email is being forged for criminal gain. The anti-forgery technology already exists. Paypal is negotiating with their business partners to get it deployed.

    We all benefit from closing off easy opportunities for crime. Blaming the victim doesn't work very well in the case of a pharming attack anyway.