Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Asks E-mail Services to Block Messages

Posted by CmdrTaco on from the at-least-they're-honest-about-it dept.

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""

19 of 222 comments (clear)

  1. This isn't the right solution.... by LordPhantom · · Score: 3, Insightful

    What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

  2. SPF by ikegami · · Score: 4, Informative

    This is the problem Sender Policy Framework (SPF) tries to address.

  3. Even better by Applekid · · Score: 4, Insightful

    How about Paypal just gives up sending email?

    I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?

    If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.

    --
    More Twoson than Cupertino
    1. Re:Even better by Anonymous Coward · · Score: 3, Interesting

      My bank sends a couple types of emails. One is a "A statement for your account ending in XXXX has been posted."

      Another is "We have sent you a secure message. Log into your account to see it."

      The emails are only text, and they never have a link to the bank's website. The two sentences I have quoted above are pretty much the entire contents of the emails.

      The bank has trained me that if they have something to tell me, I should go to the site on my own and log into my account like I would for anything else. No HML mail, no links that could possibly be misleading, nothing.

  4. That reminds me.. by Rob+T+Firefly · · Score: 3, Insightful

    I'm sick of people entering my house through the open front door while I'm away, and stealing all my stuff. I want to make it illegal for people to just walk through open doors.

    I know, you're thinking "why don't you just do something about your open front door?" But dammit, I've based my entire security model around having my front door open at all times, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather make it everyone else's problem instead.

    --
    Slashdot Burying Stories About Slashdot Media Owned
    1. Re:That reminds me.. by Fred_A · · Score: 4, Funny

      Ah, the flawed analogy. Such a fine artform these days.
      Yeah it didn't even have a car in it ! Pitiful I say !
      --

      May contain traces of nut.
      Made from the freshest electrons.
  5. I don't get it. by jpellino · · Score: 3, Insightful

    Because hovering over the link in the mail is hard?

    --
    "Win treats sysadmins better than users. Mac treats users better than sysadmins. Linux treats everyone like sysadmins."
    1. Re:I don't get it. by sqlrob · · Score: 3, Insightful

      Right, something like http://update-paypal-security.info/ is obviously a phish to the average user.

    2. Re:I don't get it. by navyjeff · · Score: 4, Funny

      Right, something like http://update-paypal-security.info/ is obviously a phish to the average user.

      I think that link is slashdotted. I tried to update my paypal security info, but the site seems to be down. Anyone got a cached link???

      (My karma's gonna burn for this...)

  6. Re:Time to move past SMTP? by Trillan · · Score: 3, Insightful

    SMTP is not only defective by design, but defective by requirement.

  7. Re:How about just block emails from paypal? by DrLov3 · · Score: 5, Funny

    How dare they do this, imspeech the people sending emails to me(scammer or not), I need those emails, thier futile attemps to get my money is detectable at the naked eye, I need those for my weekly laughter at thier incompetence, keeps me cheered up, otherwise I might go on a killing spree or something, and paypal will be held accountable for the death and violence.

    I mean why on earth would a third party have the right to request that I stop recieving my emails.

  8. Good news! by bziman · · Score: 4, Insightful

    I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.

    Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.

    I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.

    The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.

    Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.

    -brian

  9. Re:How about just block emails from paypal? by The+Cisco+Kid · · Score: 4, Insightful

    Someone one said "A fool and his money are soon parted".

    Joe Sixpack needs to get off his ass, and actually learn something about the tool (yes its a TOOL, not a toy) he is using to send/receive REAL money to/from other people. If he is too lazy/ignorant/unmotivated to do that, then he will get ripped off, and its not ebay, paypal, or the government's job to protect him from his own stupidity.

  10. Errrr, this *is* an email signature by Russ+Nelson · · Score: 3, Insightful

    This *is* an email signature system, only at the MTA level rather than the MUA level like PGP. The idea is to make mass adoption easier, since, as you say, it's the main difficulty. So get off your butt and get DomainKeys working!

    --
    Don't piss off The Angry Economist
  11. Tries but fails by Russ+Nelson · · Score: 3, Informative

    The problem with SPF is that it's really easy to implement, and works really badly. DomainKeys is a real solution to the problem, but it's harder to implement because you can't munge the email (which various MTAs are prone to do).

    --
    Don't piss off The Angry Economist
    1. Re: Tries but fails by Dolda2000 · · Score: 3, Informative
      Since he does not seem to, let me take the chance to elaborate on that one. One of the greatest problems with SPF is that you can't forward messages, so SPF would mean the doom of mailing lists. To be more specific about the problem, if I send a mail to a list, it might come from me@foo.com, and in foo.com's SPF DNS record, I have stated the IP address for the mail servers from which mails are allowed to arrive. The mailing list may check that and be content, but then it forwards it to all its members, using its own mail server, which, of course, isn't recorded in foo.com's SPF record. Hence, all receiving hosts (that support SPF) will refuse the message.

      DomainKeys doesn't have a problem with that, though. It signs the message body and a select choice of headers (by default, all headers below the DomainKeys header) with a private key (which is only known to the submit servers). The receiving host checks foo.com's DNS for the public key, and verifies the signature. Obviously, this works with mailing lists as well, since it doesn't matter from which mail server the message arrives. All which matters is that the signature can be verified with the public key in the From address' domain's DNS records.

      Naturally, it isn't just mailing lists which run into problems. A lot of mail systems rely on forwarding.

  12. Re:How about just block emails from paypal? by indifferent+children · · Score: 4, Funny
    ...medicate themselves...

    They're willing to try. That's why the Dremel tools come with a warning, "This is not a dental tool."

    --
    Censorship is telling a man he can't have a steak just because a baby can't chew it. --Mark Twain
  13. Re:How about just block emails from paypal? by miskatonic+alumnus · · Score: 4, Insightful

    What next? If a person can't keep from being killed, he shouldn't be alive in the first place? What's with this blaming the victim? How about we get some decent security as part of the e-mail infrastructure? How about we ramp up prosecution of these thieves?

    I'll tell you a little story. Once I was operating a cash register, and got conned by a change-raising artist. How humiliating. I guess I shouldn't handle cash.

  14. Re:How about just block emails from paypal? by miskatonic+alumnus · · Score: 3, Insightful

    That being said, people make WAY too much fuss over how "bad" the education system is in the US.

    I'm in a position to criticize this education system, having spent 12 years attempting to teach mathematics (including remedial mathematics) to its graduates. I've spoken with the students and their previous instructors, and determined that their public school teachers don't understand the material they "teach". My colleagues who teach history, art, biology, political science, and English say the students do little better in those areas. So yeah, the schools suck --- except when it comes to sports, of course.

    You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.

    Here's the rub --- in order to make an informed, rational, intelligent choice you have to be educated. It's a vicious circle: bad decisions lead to ... more bad decisions. You can't bootstrap yourself from an illiterate, innumerate dunce to a Bill Gates or Einstein without a proper support network. Some are capable of doing more with less, but you can't just throw a computer or a book at a child, say "Teach thyself!" and expect good results.