Slashdot Mirror

← Back to Stories (view on slashdot.org)

PayPal Asks E-mail Services to Block Messages

Posted by CmdrTaco on from the at-least-they're-honest-about-it dept.

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""

9 of 222 comments (clear)

  1. SPF by ikegami · · Score: 4, Informative

    This is the problem Sender Policy Framework (SPF) tries to address.

  2. Even better by Applekid · · Score: 4, Insightful

    How about Paypal just gives up sending email?

    I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?

    If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.

    --
    More Twoson than Cupertino
  3. Re:How about just block emails from paypal? by DrLov3 · · Score: 5, Funny

    How dare they do this, imspeech the people sending emails to me(scammer or not), I need those emails, thier futile attemps to get my money is detectable at the naked eye, I need those for my weekly laughter at thier incompetence, keeps me cheered up, otherwise I might go on a killing spree or something, and paypal will be held accountable for the death and violence.

    I mean why on earth would a third party have the right to request that I stop recieving my emails.

  4. Good news! by bziman · · Score: 4, Insightful

    I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.

    Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.

    I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.

    The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.

    Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.

    -brian

  5. Re:How about just block emails from paypal? by The+Cisco+Kid · · Score: 4, Insightful

    Someone one said "A fool and his money are soon parted".

    Joe Sixpack needs to get off his ass, and actually learn something about the tool (yes its a TOOL, not a toy) he is using to send/receive REAL money to/from other people. If he is too lazy/ignorant/unmotivated to do that, then he will get ripped off, and its not ebay, paypal, or the government's job to protect him from his own stupidity.

  6. Re:That reminds me.. by Fred_A · · Score: 4, Funny

    Ah, the flawed analogy. Such a fine artform these days.
    Yeah it didn't even have a car in it ! Pitiful I say !
    --

    May contain traces of nut.
    Made from the freshest electrons.
  7. Re:I don't get it. by navyjeff · · Score: 4, Funny

    Right, something like http://update-paypal-security.info/ is obviously a phish to the average user.

    I think that link is slashdotted. I tried to update my paypal security info, but the site seems to be down. Anyone got a cached link???

    (My karma's gonna burn for this...)

  8. Re:How about just block emails from paypal? by indifferent+children · · Score: 4, Funny
    ...medicate themselves...

    They're willing to try. That's why the Dremel tools come with a warning, "This is not a dental tool."

    --
    Censorship is telling a man he can't have a steak just because a baby can't chew it. --Mark Twain
  9. Re:How about just block emails from paypal? by miskatonic+alumnus · · Score: 4, Insightful

    What next? If a person can't keep from being killed, he shouldn't be alive in the first place? What's with this blaming the victim? How about we get some decent security as part of the e-mail infrastructure? How about we ramp up prosecution of these thieves?

    I'll tell you a little story. Once I was operating a cash register, and got conned by a change-raising artist. How humiliating. I guess I shouldn't handle cash.