Catch up on stories from the past week (and beyond) at the Slashdot story archive

 



Forgot your password?
typodupeerror
×
Spam

PayPal Asks E-mail Services to Block Messages 222

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""
This discussion has been archived. No new comments can be posted.

PayPal Asks E-mail Services to Block Messages

Comments Filter:
  • It sure would be nice to see this go through. If I had a dollar for everytime I have gotten an email from some fake paypal scheme I would be rich. Hopefully ISP's and Email providers will go along with this, because quite frankly, I hate it.
    • by Intron ( 870560 )
      The whole reason there are fake Paypal schemes is people thinking "If I had a dollar from every fool using Paypal I would be rich".

      Unfortunately, someone needs to trot out the anti-spam checklist now:

      (X) It will stop spam for two weeks and then we'll be stuck with it
      (X) Ideas similar to this are easy to come up with, yet none have ever been shown practical
    • I sent you an email offering you just this very thing the other day. My uncle, the prince of Nigeria, has been mortified by all the spam and phishing scams occuring all over the world. He set aside $100,000,000 dollars into a fund for those most affected. He asked me to track them down for him. Given the sensitive nature of this program we are delivering the funds strictly in cash. All we need for you is to send your car keys and the location where it is parked to this PO Box, and in a few days you wil
  • by LordPhantom ( 763327 ) on Wednesday March 28, 2007 @10:22AM (#18515899)
    What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.
    • (and this message was brought to you by the Department of Redundancy Bureau). I hate it when I don't click preview.....
    • Every email software/website?

      That's like saying "stopping malware would be easy if only Bill and Linus forged and alliance and combined their powers"
    • by jimicus ( 737525 )
      the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

      I think you possibly underestimate how big a problem that is.

      In the days of snail mail, it was pretty uncommon for you to receive a letter purporting to be from someone it wasn't. Certainly not, say, a letter from your bank saying "We've accidentally gone and deleted all your verification information, please reply within 7 working days to the address above enclosing your full name, account number and signatur
    • by Russ Nelson ( 33911 ) <slashdot@russnelson.com> on Wednesday March 28, 2007 @12:13PM (#18517383) Homepage
      This *is* an email signature system, only at the MTA level rather than the MUA level like PGP. The idea is to make mass adoption easier, since, as you say, it's the main difficulty. So get off your butt and get DomainKeys working!
  • SPF (Score:5, Informative)

    by ikegami ( 793066 ) on Wednesday March 28, 2007 @10:24AM (#18515939)
    This is the problem Sender Policy Framework (SPF) [openspf.org] tries to address.
    • Tries but fails (Score:4, Informative)

      by Russ Nelson ( 33911 ) <slashdot@russnelson.com> on Wednesday March 28, 2007 @12:17PM (#18517431) Homepage
      The problem with SPF is that it's really easy to implement, and works really badly. DomainKeys is a real solution to the problem, but it's harder to implement because you can't munge the email (which various MTAs are prone to do).
      • by Milican ( 58140 )
        Could you be more specific?

        JOhn
      • The problem with SPF is that it's really easy to implement, and works really badly.
        Hi Russ. Could you elaborate on this point? Why do you think that SPF "works really badly"?
        • Re: Tries but fails (Score:4, Informative)

          by Dolda2000 ( 759023 ) <fredrik.dolda2000@com> on Wednesday March 28, 2007 @03:09PM (#18519709) Homepage
          Since he does not seem to, let me take the chance to elaborate on that one. One of the greatest problems with SPF is that you can't forward messages, so SPF would mean the doom of mailing lists. To be more specific about the problem, if I send a mail to a list, it might come from me@foo.com, and in foo.com's SPF DNS record, I have stated the IP address for the mail servers from which mails are allowed to arrive. The mailing list may check that and be content, but then it forwards it to all its members, using its own mail server, which, of course, isn't recorded in foo.com's SPF record. Hence, all receiving hosts (that support SPF) will refuse the message.

          DomainKeys doesn't have a problem with that, though. It signs the message body and a select choice of headers (by default, all headers below the DomainKeys header) with a private key (which is only known to the submit servers). The receiving host checks foo.com's DNS for the public key, and verifies the signature. Obviously, this works with mailing lists as well, since it doesn't matter from which mail server the message arrives. All which matters is that the signature can be verified with the public key in the From address' domain's DNS records.

          Naturally, it isn't just mailing lists which run into problems. A lot of mail systems rely on forwarding.

  • Even better (Score:5, Insightful)

    by Applekid ( 993327 ) on Wednesday March 28, 2007 @10:25AM (#18515949)
    How about Paypal just gives up sending email?

    I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?

    If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.
    • My guess would be even though Paypal never sends email to their customers, they would still end up paying out fraud for folks falling for the phish.

      This would be the motivation for Paypal to seek a real fix, the phishing is hitting their bottom line and there's nothing they can directly change; they have to take a global direction.
    • Um, no.

      If you owned a company who's (almost) exclusive way of communicating with customers is by email, would you give it up and tell the millions who depend on Paypal that they'll receive receipts by the mailman? Yes their customer service is shit so I won't even try to sugarcoat that reality. Right let's send an email to customers in Africa, the receipt for a purchase shall come in by Air-Camel straight from UK!

      Yes, fake paypal emails do look very similar sometimes to the real thing, but if you fall for i
    • Heaven forbid they just ask people to get off their butts and manually type in 'paypal.com' Granted, this exposes them to some typo domains, but it sure beats blindly clicking around and handing your authentication info to strangers. I always tell non-techies to always type in their banks name and dont bother trying to decipher whether an email is safe or not.
    • I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing

      Probably because Paypal is deceptive in their own mails. Here's an excerpt from a recent PayPal mail as rendered by MailScanner [mailscanner.info]:

      MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be AllPosters.com

      MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be TigerDirect.com

      Disney's Toontown
      Time Consumer Marketing

      eBags

      Mai

    • "Emailed receipts?"

      Yes. I want emailed receipts. I want to be able to search my payment history with GMail. And you forgot things like email address verification - Paypal needs to send emails for that.

      Heck, even if they decide not to send emails anymore, then people will still fall for Paypal phishing emails.
    • Re: (Score:3, Interesting)

      by Anonymous Coward
      My bank sends a couple types of emails. One is a "A statement for your account ending in XXXX has been posted."

      Another is "We have sent you a secure message. Log into your account to see it."

      The emails are only text, and they never have a link to the bank's website. The two sentences I have quoted above are pretty much the entire contents of the emails.

      The bank has trained me that if they have something to tell me, I should go to the site on my own and log into my account like I would for anything else. No
  • That reminds me.. (Score:3, Insightful)

    by Rob T Firefly ( 844560 ) on Wednesday March 28, 2007 @10:26AM (#18515971) Homepage Journal
    I'm sick of people entering my house through the open front door while I'm away, and stealing all my stuff. I want to make it illegal for people to just walk through open doors.

    I know, you're thinking "why don't you just do something about your open front door?" But dammit, I've based my entire security model around having my front door open at all times, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather make it everyone else's problem instead.
    • by Aladrin ( 926209 )
      Ah, the flawed analogy. Such a fine artform these days.

      There is no law involved here. They are -asking- ISPs to do this and help both PayPal and the ISP's customers. There is no law. There is no old woman nagging 'Now don't you do that!'

      A better analogy: I'm sick of airports letting people carry knives onto airplanes. I want them to scan and prevent people from carrying them onboard.
    • by geekoid ( 135745 )
      What I am thinking is that there is a law. Just because someone's door is open doesn't mean you get to enter there home. The exception is places where it is reasonably expected for you to do so..i.e. business.

      That, and the fact that your analogy in no way what so ever fits what they are talking about. It's not a poos analogy, it is a wrong analogy.
    • Re: (Score:3, Informative)

      by nine-times ( 778537 )

      I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures? Wouldn't it be more like: if there were fake police officers going through people's houses and stealing things, and in response then the police department asked citizens not to let police officers into their houses unless those police carried some kind of official ID.

      It doesn't sound unreasonable to me.

      • Re: (Score:3, Insightful)

        by gstoddart ( 321705 )

        I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures?

        Well, the problem with this, is unless they can get every service provider to block such messages, it's a worthless system.

        See, going to all of the ISPs and saying "help us come up with a secure solution that applies only to us" doesn't solve the general problem or phishing and the like. And, any system which is (mostly) a widespread fix for Paypal doesn't cover all of the other ve

    • It's already illegal to enter premises where you know you're not invited, even if the door is open. Were it not for the fact that your premise is COMPLETELY WRONG, this would a great satire.
  • The issue here seems to be spam/phishing. I wonder if it's time to develop something like SMTP 2.0... an equivalent to a "new" e-mail system completely separate from the current one. Maybe it should have centrally managed servers for stricter authentication? Is the current system defective by design or just in need of some updated techniques?
    • by Trillan ( 597339 ) on Wednesday March 28, 2007 @10:30AM (#18516029) Homepage Journal
      SMTP is not only defective by design, but defective by requirement.
      • SMTP is not only defective by design, but defective by requirement.

        Nobody ever meets the design requirements!

        Next you're going to tell me they were on schedule too!
    • It's just that email is NOT a good method to distribute ALL information.

      Rather than re-working an existing system so it is more "effective" in handling a specific case, why not look at how best to handle that specific case?

      We've been over this before with regular banks. You need two different channels to confirm a transaction to make it "safe" enough for the average person. Web and phone is good combination.
      • but this is more than just one specific case. even if paypal insituted a never-use-email policy, it wouldnt stop the phishing. even if every financial institution used this policy, it would take a while before the public really understood that they should never trust an email from a financial institution. in the time it would take, we could probably develop a new SMTP that would stop the phishing and the spamming.

        yes, it's going to be very hard to completely replace SMTP, but the longer we wait the harde
        • but this is more than just one specific case.

          Not really. It's "fraud". That's all.

          even if paypal insituted a never-use-email policy, it wouldnt stop the phishing.

          Correction: It would not stop the phishing attempts. It could stop the fraud from occurring. And that is the goal, is it not?

          even if every financial institution used this policy, it would take a while before the public really understood that they should never trust an email from a financial institution.

          Let me give you an example of how to end the f

    • Re: (Score:2, Insightful)

      It's been time to rework SMTP for a decade now. First, it was open mail servers. Next, it was the lack of any verification that a mail server was in the domain it claimed to be in in its HELO line. Next, it's the lack of a way for the SMTP server to authenticate a connecting user.

      For every one of these problems, a solution has had to be cobbled together, usually using a large amount of gum, duct tape, and string.

      And how long have people been discussing a replacement to SMTP? I remember posts on this sub
  • I don't get it. (Score:4, Insightful)

    by jpellino ( 202698 ) on Wednesday March 28, 2007 @10:28AM (#18515995)
    Because hovering over the link in the mail is hard?

    • by sqlrob ( 173498 ) on Wednesday March 28, 2007 @10:43AM (#18516183)
      Right, something like http://update-paypal-security.info/ [update-pay...urity.info] is obviously a phish to the average user.

      • Perhaps, but your average spoofer isn't going to show that URL in the link; it would probably look more like http://security.paypal.com/ [paypal.com] and the average user isn't going to be aware that the source URL for that link is not the same as what's being displayed.

        • That's why OP recommended hovering over the link. But people like my Dad wouldn't know the difference between paypal.com & paypal-user.info. And I'm sure he's the type who gets hit by phishing. As others have suggested, maybe it's time for these companies to revert to more traditional, tried & trusted means of communication. It's not like they aren't making stacks of cash every day.
        • I suspect the PP's sarcasm was a bit too subtle for you - the point is, that to the average user, "update-paypal-security.info" *DOES* look legitimate.

          This is a hard problem, and requires people to acquire skills that they should already have to begin with. I blame Microsoft for making it 'too easy' for people, and people for letting MS lead them by the hand.
      • by navyjeff ( 900138 ) on Wednesday March 28, 2007 @11:34AM (#18516839) Homepage Journal

        Right, something like http://update-paypal-security.info/ [update-pay...urity.info] is obviously a phish to the average user.

        I think that link is slashdotted. I tried to update my paypal security info, but the site seems to be down. Anyone got a cached link???

        (My karma's gonna burn for this...)

    • It's not hard, but the fact is, the average user doesn't understand that the path in a link may not go to the place they think it will. The truly web-savvy are knowledgeable but in the minority. What is needed is for email clients to have an option similar to what you see here on Slashdot, where the domain of the link is displayed, although it would need to be expanded to accommodate the intricate URLs spoofer sometimes use. If the average user could see a visual representation of the link, they might be mo

    • Re: (Score:2, Informative)

      by eli pabst ( 948845 )
      I've seen phishing scam emails using obfuscated javascript for links to the actual phishing sites recently, so that isn't always a tipoff. Your grandma and grandpa aren't going to be able to download the page source and walk through the javascript to see what it's doing.
  • I like this idea (Score:3, Insightful)

    by jhfry ( 829244 ) on Wednesday March 28, 2007 @10:28AM (#18515997)
    Why don't major financial insititutions all create a coalition that does exactly this. This coalition would issue signing certificates for the various members, who will then sign all of their email.

    All that mail hosts would need to do is verify that the mail was signed by a valid certificate that was issued by the coalition. One certificate to verify against. The coalition can then issue revocation lists as necessary if a member's certificate is ever comprimised.

    Seems like an ideal solution to reduce phishing. It could also be used by other organizations who could have their email signed in a similar way, which might allow these messages to bypass spam filters which would benefit the mail hosts.

    I think of it as a way to implement a pseudo whitelist, which is by far the best way to ensure that you don't get spam.
  • It should be sufficient to let the client handle this, domain's wishing that all mail from their domain should be signed can ADVERTIZE this fact and clients wishing to RESPECT that advertizement can verify signatures and filter incoming mail accordingly.

    I guess I am just old-fashioned eh?
  • The whole idea of creating a newer, more secure and spam-resistant emailing standard has been out there for a long time. There are limitless "great ideas" on how it can be done but the problem is implementation and integration. We're already stuck in this way of doing things.

    But somehow we need to answer the need and perhaps under the premise of protecting financials, there might be some potential for movement. I'm thinking that if a consortium of financial groups got together and decided that from here
  • If emails were digitally signed, the identity of the sender would either verify or would fail to verify. This sounds like the correct approach. In competing approaches, the message is tagged in some way, the problem being that such messages can still be forged.

    The barrier to acceptance of any signature approach (and there are several) is getting everybody on board, or at least a large enough segment of the user population to make a compelling case for others to follow. Paypal might be that segment, bec

    • by jfengel ( 409917 )
      It's not quite as easy as it sounds. It hinges on the notion of "purporting to be from Paypal users". It's easy to eliminate cases where the return address is paypal.com but the signature fails. It's harder when the return address is paypa1.com (look closely), and eventually it just devolves to the spam recognition problem, which is known to be hard.

      And once you've defined that, the digital signature becomes nearly moot. If it's in the "looks like Paypal" category but links to something other than paypa
      • Re: (Score:3, Interesting)

        Right. I think you're saying that Paypal signatures can only help with verifying Paypal domains, not domains that might to a casual observer look like Paypal domains. I agree with the implied conclusion that signed email don't eliminate this particular type of phishing scam.

        Signed email does, however, eliminate the presently very common and significant type of scam that depends on forging emails from legitimate domains.

        Signed email also provides an effective basis for spam control, so I have to disagr

  • My problem isn't PayPal - it's the frickin' parent company of eBay.

    The spam and phishing from PayPal is insignificant compared to the crap I get through eBay should I try to auction or sell off an old computer system. (Next to charity donation, it's the best recycling system I have available) The last 3 auctions I did - it took me 6 weeks to get rid of a Tablet PC because the first auction was terminated by a Nigerian trying to defraud me, the 2nd derailed because of the first's premature termination, a

  • The funny part (Score:3, Interesting)

    by Lumpy ( 12016 ) on Wednesday March 28, 2007 @10:53AM (#18516327) Homepage
    Most paypal and ebay scam emails DON'T look legitimate. Most are so poorly formed they stand out as fake. From address is wrong, subject is formatted very differently etc... Anyone that uses Paypal regularly can easily see how bad of a job the scammers do in the fake emails.

    Problem is, they are taking advantage of the fact that people like me make up 10% of the total population, the rest fall for it because they don't take the time to be careful.
  • Good news! (Score:5, Insightful)

    by bziman ( 223162 ) on Wednesday March 28, 2007 @10:59AM (#18516383) Homepage Journal

    I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.

    Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.

    I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.

    The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.

    Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.

    -brian

  • Ok, class, here's the header, now tell me what's wrong with it:

    Date: March 28, 2007 9:36:46 AM EDT
    From: admin@paypal.com
    Subject: Your PayPal account access is limited.
    To:
    Reply-To: paypal@paypal.com
    Return-Path:
    Received: from 10.0.0.2 (ont-static-216.70.173.8.mpowercom.net [216.70.173.8] (may be forged)) by localhost.localdomain (8.12.11.20060308/8.12.11) with SMTP id l2SDfRsJ001136 for ; Wed, 28 Mar 2007 08:41:29 -0500
    Received: from by ; Wed, 28 Mar 2007 17:30:46 +0400
    Message-Id: >
    X-Mailer: Inter
  • And for those of us who already sign our e-mails and publish a public key, why doesn't PayPal simply distribute its public key block on its web-site, using HTTPS so that its integrity is maintained?
  • Email is Stupid (Score:3, Insightful)

    by objekt ( 232270 ) on Wednesday March 28, 2007 @11:14AM (#18516605) Homepage
    I've said it before and I'll say it again; email is stupid. I freaking HATE email. It's mostly spam and is rarely useful.

    I rely on forums and chats for 99% of my useful communications on the internet.

    The whole concept of email needs to be redesigned, as others have pointed out.

    Paypal should communicate with users through it's site, NOT through email.
  • Unfortunately, SPF and DomainKeys (DKIM) are not the answer to verifying mail. Currently, as has already been discussed thoroughly, the adoption rate for both of these among legitimate senders of mail has been abysmal. Those few who have adopted these tools are in the minority, and as a result, it is impossible to rely upon these tools as definitive proof that a message is legitimate.

    Compounding this problem is the fact that there is NOTHING in place to stop spammers from setting up a SPF record or perhap
    • by Blain ( 264390 )
      Spam is hard to identify? I'm not sure what you're talking about. I've been using PopFile to sort my email for quite a long time, in both high-spam periods and low-spam periods, and it's been more than 99% accurate almost all of that time (more than 90% accurate within a week even on low volume with a little training). It took about three messages to train it to tell phish from spam.

      I've been curious as to why providers like gmail and hotmail don't check to see if a message being sent to some threshold n
  • If you look at their _domainkey.paypal.com record, it looks like this:

    _domainkey.paypal.com. 3600 IN TXT "t=y\; o=~"
    The t=y value says that they're still just testing. According to the DomainKeys standard, that means that you're not supposed to take any action based on the result of checking the DomainKeys signature.
  • Why the frak don't they just use PGP/GnuPG? Cripes.
  • I've gotten plenty of spams that look exactly like the paypal "you have paid X" emails. The only difference is that the site it links to is not paypal, but one intended to snarf your password.

    It's always worth checking out when you get a notification that a possibly-fraudulant purchase has been made. In my case I just go directly to paypal in my browser (without using the link in the email) and check my account, but I'd bet a lot of people might get suckered by this one.

    Is there a way to enable signatur
  • by marvinglenn ( 195135 ) on Wednesday March 28, 2007 @12:25PM (#18517549)

    The first thing they should do is change the "~all" to "-all" at the end of their SPF [openspf.org] records.

    paypal.com. 3600 IN TXT "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com include:spf-2._sid.paypal.com ~all"
    paypal.com. 3600 IN TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

  • Honestly, I don't want no companie's own e-mail verification system. People - yes, real people, and surprise surprise quite a lot of us - use GPG for signing and encrypting e-mails and everything else, and there are lots of freely usable keyservers out there. But hell would freeze over if any company with their bucks dropping out from their a**es would ever just use a proven, available and easy way of e-mail signing. Just give all your users keys and you're done, they don't even have to know they have one.
  • DomainKeys (Score:3, Interesting)

    by DaMattster ( 977781 ) on Wednesday March 28, 2007 @01:36PM (#18518553)
    On its face, this seems like a good idea. But, there are bound to be problems related to interoperability with the various SMTP server implementations. Don't everyone groan at once when I mention M$ Exchange. I have thought of suggesting using OpenPGP but any joe blow could create a PGP public/private key-pair that purports to be from Paypal and use that key to send out phishing emails. I suppose Paypal could include a fingerprint of its key but I am not really sure. S/MIME might also be another option for digital signing.

Think of it! With VLSI we can pack 100 ENIACs in 1 sq. cm.!

Working...