PayPal Asks E-mail Services to Block Messages

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""

Sure would be nice

[Kranfer (620510)]

It sure would be nice to see this go through. If I had a dollar for everytime I have gotten an email from some fake paypal scheme I would be rich. Hopefully ISP's and Email providers will go along with this, because quite frankly, I hate it.

Re:

[Intron (870560)]

The whole reason there are fake Paypal schemes is people thinking "If I had a dollar from every fool using Paypal I would be rich".

Unfortunately, someone needs to trot out the anti-spam checklist now:

(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Ideas similar to this are easy to come up with, yet none have ever been shown practical

This isn't the right solution....

[LordPhantom (763327)]

What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

Re:

[LordPhantom (763327)]

(and this message was brought to you by the Department of Redundancy Bureau). I hate it when I don't click preview.....

Errrr, this *is* an email signature

[Russ Nelson (33911)]

This *is* an email signature system, only at the MTA level rather than the MUA level like PGP. The idea is to make mass adoption easier, since, as you say, it's the main difficulty. So get off your butt and get DomainKeys working!

SPF

[ikegami (793066)]

This is the problem Sender Policy Framework (SPF) [openspf.org] tries to address.

Tries but fails

[Russ Nelson (33911)]

The problem with SPF is that it's really easy to implement, and works really badly. DomainKeys is a real solution to the problem, but it's harder to implement because you can't munge the email (which various MTAs are prone to do).

Re: Tries but fails

[Dolda2000 (759023)]

Since he does not seem to, let me take the chance to elaborate on that one. One of the greatest problems with SPF is that you can't forward messages, so SPF would mean the doom of mailing lists. To be more specific about the problem, if I send a mail to a list, it might come from me@foo.com, and in foo.com's SPF DNS record, I have stated the IP address for the mail servers from which mails are allowed to arrive. The mailing list may check that and be content, but then it forwards it to all its members, using its own mail server, which, of course, isn't recorded in foo.com's SPF record. Hence, all receiving hosts (that support SPF) will refuse the message.

DomainKeys doesn't have a problem with that, though. It signs the message body and a select choice of headers (by default, all headers below the DomainKeys header) with a private key (which is only known to the submit servers). The receiving host checks foo.com's DNS for the public key, and verifies the signature. Obviously, this works with mailing lists as well, since it doesn't matter from which mail server the message arrives. All which matters is that the signature can be verified with the public key in the From address' domain's DNS records.

Naturally, it isn't just mailing lists which run into problems. A lot of mail systems rely on forwarding.

Even better

[Applekid (993327)]

How about Paypal just gives up sending email?

I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?

If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.

Re:

[RedHat Rocky (94208)]

My guess would be even though Paypal never sends email to their customers, they would still end up paying out fraud for folks falling for the phish.

This would be the motivation for Paypal to seek a real fix, the phishing is hitting their bottom line and there's nothing they can directly change; they have to take a global direction.

Paypal is Deceptive

[bill_mcgonigle (4333)]

I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing

Probably because Paypal is deceptive in their own mails. Here's an excerpt from a recent PayPal mail as rendered by MailScanner [mailscanner.info]:

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be AllPosters.com

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be TigerDirect.com

Disney's Toontown
Time Consumer Marketing

eBags

Mai

Re:

[by Anonymous Coward]

My bank sends a couple types of emails. One is a "A statement for your account ending in XXXX has been posted."

Another is "We have sent you a secure message. Log into your account to see it."

The emails are only text, and they never have a link to the bank's website. The two sentences I have quoted above are pretty much the entire contents of the emails.

The bank has trained me that if they have something to tell me, I should go to the site on my own and log into my account like I would for anything else. No

That reminds me..

[Rob T Firefly (844560)]

I'm sick of people entering my house through the open front door while I'm away, and stealing all my stuff. I want to make it illegal for people to just walk through open doors.

I know, you're thinking "why don't you just do something about your open front door?" But dammit, I've based my entire security model around having my front door open at all times, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather make it everyone else's problem instead.

Re:

[Aladrin (926209)]

Ah, the flawed analogy. Such a fine artform these days.

There is no law involved here. They are -asking- ISPs to do this and help both PayPal and the ISP's customers. There is no law. There is no old woman nagging 'Now don't you do that!'

A better analogy: I'm sick of airports letting people carry knives onto airplanes. I want them to scan and prevent people from carrying them onboard.

Re:That reminds me..

[Fred_A (10934)]

Ah, the flawed analogy. Such a fine artform these days.

Yeah it didn't even have a car in it ! Pitiful I say !

Re:

[nine-times (778537)]

I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures? Wouldn't it be more like: if there were fake police officers going through people's houses and stealing things, and in response then the police department asked citizens not to let police officers into their houses unless those police carried some kind of official ID.

It doesn't sound unreasonable to me.

Re:

[gstoddart (321705)]

I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures?

Well, the problem with this, is unless they can get every service provider to block such messages, it's a worthless system.

See, going to all of the ISPs and saying "help us come up with a secure solution that applies only to us" doesn't solve the general problem or phishing and the like. And, any system which is (mostly) a widespread fix for Paypal doesn't cover all of the other ve

Re:

[nine-times (778537)]

My point was, and still is, doing verification on an ISP-level on a one-service-at-a-time basis is a completely worthless system

It's not completely worthless if it stops PayPal phishing. A large percentage of phishing that goes on is pretending to be PayPal or Ebay.

Or you're going to have a whole bunch of individual services all trying to get all of the ISPs to provide authentication for their crap

Not "provide authentication". They're not asking ISPs to devise an authentication service. The service ex

Already is illlegal

[Russ Nelson (33911)]

It's already illegal to enter premises where you know you're not invited, even if the door is open. Were it not for the fact that your premise is COMPLETELY WRONG, this would a great satire.

Time to move past SMTP?

[mdboyd (969169)]

The issue here seems to be spam/phishing. I wonder if it's time to develop something like SMTP 2.0... an equivalent to a "new" e-mail system completely separate from the current one. Maybe it should have centrally managed servers for stricter authentication? Is the current system defective by design or just in need of some updated techniques?

Re:Time to move past SMTP?

[Trillan (597339)]

SMTP is not only defective by design, but defective by requirement.

Re:

[Trillan (597339)]

From the RFC #2821 (which defiens modern SMTP):

SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. Constructing such a message so that the "spoofed" behavior cannot be detected by an expert is somewhat more difficult, but not sufficiently so as to be a deterrent to someone who is deter

Nope. SMTP works fine.

[khasim (1285)]

It's just that email is NOT a good method to distribute ALL information.

Rather than re-working an existing system so it is more "effective" in handling a specific case, why not look at how best to handle that specific case?

We've been over this before with regular banks. You need two different channels to confirm a transaction to make it "safe" enough for the average person. Web and phone is good combination.

I don't get it.

[jpellino (202698)]

Because hovering over the link in the mail is hard?

Re:I don't get it.

[sqlrob (173498)]

Right, something like http://update-paypal-security.info/ [update-pay...urity.info] is obviously a phish to the average user.

Re:I don't get it.

[navyjeff (900138)]

Right, something like http://update-paypal-security.info/ [update-pay...urity.info] is obviously a phish to the average user.

I think that link is slashdotted. I tried to update my paypal security info, but the site seems to be down. Anyone got a cached link???

(My karma's gonna burn for this...)

Re:

[Billosaur (927319)]

It's not hard, but the fact is, the average user doesn't understand that the path in a link may not go to the place they think it will. The truly web-savvy are knowledgeable but in the minority. What is needed is for email clients to have an option similar to what you see here on Slashdot, where the domain of the link is displayed, although it would need to be expanded to accommodate the intricate URLs spoofer sometimes use. If the average user could see a visual representation of the link, they might be mo

I like this idea

[jhfry (829244)]

Why don't major financial insititutions all create a coalition that does exactly this. This coalition would issue signing certificates for the various members, who will then sign all of their email.

All that mail hosts would need to do is verify that the mail was signed by a valid certificate that was issued by the coalition. One certificate to verify against. The coalition can then issue revocation lists as necessary if a member's certificate is ever comprimised.

Seems like an ideal solution to reduce phishing. It could also be used by other organizations who could have their email signed in a similar way, which might allow these messages to bypass spam filters which would benefit the mail hosts.

I think of it as a way to implement a pseudo whitelist, which is by far the best way to ensure that you don't get spam.

KIE2ES: Keep it End-to-End Stupid

[John.P.Jones (601028)]

It should be sufficient to let the client handle this, domain's wishing that all mail from their domain should be signed can ADVERTIZE this fact and clients wishing to RESPECT that advertizement can verify signatures and filter incoming mail accordingly.

I guess I am just old-fashioned eh?

We need "Email 2.0"

[erroneus (253617)]

The whole idea of creating a newer, more secure and spam-resistant emailing standard has been out there for a long time. There are limitless "great ideas" on how it can be done but the problem is implementation and integration. We're already stuck in this way of doing things.

But somehow we need to answer the need and perhaps under the premise of protecting financials, there might be some potential for movement. I'm thinking that if a consortium of financial groups got together and decided that from here

Digital signature is the correct approach

[starfishsystems (834319)]

If emails were digitally signed, the identity of the sender would either verify or would fail to verify. This sounds like the correct approach. In competing approaches, the message is tagged in some way, the problem being that such messages can still be forged.

The barrier to acceptance of any signature approach (and there are several) is getting everybody on board, or at least a large enough segment of the user population to make a compelling case for others to follow. Paypal might be that segment, bec

Re:

[starfishsystems (834319)]

Right. I think you're saying that Paypal signatures can only help with verifying Paypal domains, not domains that might to a casual observer look like Paypal domains. I agree with the implied conclusion that signed email don't eliminate this particular type of phishing scam.

Signed email does, however, eliminate the presently very common and significant type of scam that depends on forging emails from legitimate domains.

Signed email also provides an effective basis for spam control, so I have to disagr

The funny part

[Lumpy (12016)]

Most paypal and ebay scam emails DON'T look legitimate. Most are so poorly formed they stand out as fake. From address is wrong, subject is formatted very differently etc... Anyone that uses Paypal regularly can easily see how bad of a job the scammers do in the fake emails.

Problem is, they are taking advantage of the fact that people like me make up 10% of the total population, the rest fall for it because they don't take the time to be careful.

Good news!

[bziman (223162)]

I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.

Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.

I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.

The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.

Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.

-brian

Email is Stupid

[objekt (232270)]

I've said it before and I'll say it again; email is stupid. I freaking HATE email. It's mostly spam and is rarely useful.

I rely on forums and chats for 99% of my useful communications on the internet.

The whole concept of email needs to be redesigned, as others have pointed out.

Paypal should communicate with users through it's site, NOT through email.

they need to 'hard fail all' in their SPF record

[marvinglenn (195135)]

The first thing they should do is change the "~all" to "-all" at the end of their SPF [openspf.org] records.

paypal.com. 3600 IN TXT "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com include:spf-2._sid.paypal.com ~all"
paypal.com. 3600 IN TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

DomainKeys

[DaMattster (977781)]

On its face, this seems like a good idea. But, there are bound to be problems related to interoperability with the various SMTP server implementations. Don't everyone groan at once when I mention M$ Exchange. I have thought of suggesting using OpenPGP but any joe blow could create a PGP public/private key-pair that purports to be from Paypal and use that key to send out phishing emails. I suppose Paypal could include a fingerprint of its key but I am not really sure. S/MIME might also be another option for digital signing.

Re:How about just block emails from paypal?

[DrLov3 (1025033)]

How dare they do this, imspeech the people sending emails to me(scammer or not), I need those emails, thier futile attemps to get my money is detectable at the naked eye, I need those for my weekly laughter at thier incompetence, keeps me cheered up, otherwise I might go on a killing spree or something, and paypal will be held accountable for the death and violence.

I mean why on earth would a third party have the right to request that I stop recieving my emails.

Re:

[networkBoy (774728)]

Fair enough.
I run a script that loads their page mercilessly and attempts to log in through their proxy/spoof with random credentials.
It's a practice that's gotten me DOS'd more than once.

But your average joe sixpack is susceptible to these scams, and as such I like what ebay corp. is attempting to do.
-nB

Re:How about just block emails from paypal?

[The Cisco Kid (31490)]

Someone one said "A fool and his money are soon parted".

Joe Sixpack needs to get off his ass, and actually learn something about the tool (yes its a TOOL, not a toy) he is using to send/receive REAL money to/from other people. If he is too lazy/ignorant/unmotivated to do that, then he will get ripped off, and its not ebay, paypal, or the government's job to protect him from his own stupidity.

We've been through this before

[Beryllium Sphere(tm) (193358)]

Coins, money, checks and stock certificates have all been forged. One option would have been blaming the victims. Instead the industries involved developed anti-forgery technology and deployed it.

Today email is being forged for criminal gain. The anti-forgery technology already exists. Paypal is negotiating with their business partners to get it deployed.

We all benefit from closing off easy opportunities for crime. Blaming the victim doesn't work very well in the case of a pharming attack anyway.

Re:How about just block emails from paypal?

[indifferent children (842621)]

...medicate themselves...

They're willing to try. That's why the Dremel tools come with a warning, "This is not a dental tool."

Re:

[MBGMorden (803437)]

Please. I went to a public school South friggen Carolina. We were (at the time) ranked one of the lowest states in education nationwide. Did I have some trouble transitioning into college course? A little, but I did fine in the end. Could the education have been better? Yes. That being said, people make WAY too much fuss over how "bad" the education system is in the US. I might have a shotgun and a pack of hunting dogs, but I also know very well what String Theory and Hawking Radiation are :). We h

Re:How about just block emails from paypal?

[miskatonic alumnus (668722)]

That being said, people make WAY too much fuss over how "bad" the education system is in the US.

I'm in a position to criticize this education system, having spent 12 years attempting to teach mathematics (including remedial mathematics) to its graduates. I've spoken with the students and their previous instructors, and determined that their public school teachers don't understand the material they "teach". My colleagues who teach history, art, biology, political science, and English say the students do little better in those areas. So yeah, the schools suck --- except when it comes to sports, of course.

You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.

Here's the rub --- in order to make an informed, rational, intelligent choice you have to be educated. It's a vicious circle: bad decisions lead to ... more bad decisions. You can't bootstrap yourself from an illiterate, innumerate dunce to a Bill Gates or Einstein without a proper support network. Some are capable of doing more with less, but you can't just throw a computer or a book at a child, say "Teach thyself!" and expect good results.

Re:How about just block emails from paypal?

[miskatonic alumnus (668722)]

What next? If a person can't keep from being killed, he shouldn't be alive in the first place? What's with this blaming the victim? How about we get some decent security as part of the e-mail infrastructure? How about we ramp up prosecution of these thieves?

I'll tell you a little story. Once I was operating a cash register, and got conned by a change-raising artist. How humiliating. I guess I shouldn't handle cash.

Re:

[Spazmania (174582)]

Easier said than done. How do their systems know that an email purports to be from paypal? The fact that it says "paypal"? This post would be blocked. That there is a link to paypal? The link isn't to paypal; its to the phishing site. If there was a way to "know" that an email purported to be from paypal, most of these services would already block it due to Paypal's SPF records.

Re:

[Spazmania (174582)]

you mean as in if I had say 5 e-mail address and each of them forwarded the e-mail to me@myemail.com so that I could check them all in one place and my real paypal e-mails were being sent to one of those original 5?

Correct. Its a relatively common occurance: you have everything going to me@myisp.com but you start using me@gmail.com instead so you have your ISP forward everything that goes to me@myisp.com to me@gmail.com.

If that's the case I'm guessing that Ebay/Paypal are just betting on there being a minim

Re:

[Fulcrum of Evil (560260)]

That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

I'm just a hobbier, not a hobbiest. Of course, public key stuff means you just have to generate a keypair and put the public one in your domain record.

Re:

[suggsjc (726146)]

That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

Yes, but no.
Only the mail server operators that want to prevent phishing scams targeting PayPal would have to implement "some third-party authentication."

I understand what you are saying, and coming up with a solution that only solves a very specific problem (or subset or a problem) isn't very efficient. But if the big players like google, yahoo, microsoft all did

Re:

[Aladrin (926209)]

Enforce? Who said anything about enforcing? If they can simply get the major ISPs (AOL, Earthlink, MSN, etc) to agree to do this server-side, that'll leave only businesses and people smart enough to have their own domain that don't have this protection. It will remove the majority of the phishing.

This is not a customer-side solution, so they aren't trusting users with anything.

Do I think it's a good idea or even that it'll happen? Not really. But it's a nice gesture from a company who is usually just c