PayPal Asks E-mail Services to Block Messages

roscoetoon writes ""PayPal, the Internet-based money transfer system owned by eBay, is trying to persuade e-mail providers to block messages that lack digital signatures, which are aimed at cutting down on phishing scams, a company attorney said Tuesday.So far, no agreements have been reached,..." "...PayPal is using several technologies to digitally sign its e-mails now, including DomainKeys, Sullivan said. DomainKeys, a technology developed by Yahoo Inc., enables verification of the sender and integrity of the message that's sent." "...An agreement with, for example, Google for its Gmail service could potentially stop spam messages that look legitimate and bypass spam filters.""

Sure would be nice

[Kranfer]

It sure would be nice to see this go through. If I had a dollar for everytime I have gotten an email from some fake paypal scheme I would be rich. Hopefully ISP's and Email providers will go along with this, because quite frankly, I hate it.

Re:

[Intron]

The whole reason there are fake Paypal schemes is people thinking "If I had a dollar from every fool using Paypal I would be rich".

Unfortunately, someone needs to trot out the anti-spam checklist now:

(X) It will stop spam for two weeks and then we'll be stuck with it
(X) Ideas similar to this are easy to come up with, yet none have ever been shown practical

Didn't you get my offer?

[Leuf]

I sent you an email offering you just this very thing the other day. My uncle, the prince of Nigeria, has been mortified by all the spam and phishing scams occuring all over the world. He set aside $100,000,000 dollars into a fund for those most affected. He asked me to track them down for him. Given the sensitive nature of this program we are delivering the funds strictly in cash. All we need for you is to send your car keys and the location where it is parked to this PO Box, and in a few days you wil

This isn't the right solution....

[LordPhantom]

What ever happened to email signatures/authentication/etc? Rather than mess around with specific providers, they should talk to the folks writing the software and develop or work with an existing standard for identity authentication. It's not like encryption/signatures don't already exist, the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

Re:

[LordPhantom]

(and this message was brought to you by the Department of Redundancy Bureau). I hate it when I don't click preview.....

Re:

[voice_of_all_reason]

Every email software/website?

That's like saying "stopping malware would be easy if only Bill and Linus forged and alliance and combined their powers"

Re:

[jimicus]

the problem is in mass adoption and making it nearly thoughtless to do so that is the difficulty.

I think you possibly underestimate how big a problem that is.

In the days of snail mail, it was pretty uncommon for you to receive a letter purporting to be from someone it wasn't. Certainly not, say, a letter from your bank saying "We've accidentally gone and deleted all your verification information, please reply within 7 working days to the address above enclosing your full name, account number and signatur

Errrr, this *is* an email signature

[Russ Nelson]

This *is* an email signature system, only at the MTA level rather than the MUA level like PGP. The idea is to make mass adoption easier, since, as you say, it's the main difficulty. So get off your butt and get DomainKeys working!

SPF

[ikegami]

This is the problem Sender Policy Framework (SPF) [openspf.org] tries to address.

Tries but fails

[Russ Nelson]

The problem with SPF is that it's really easy to implement, and works really badly. DomainKeys is a real solution to the problem, but it's harder to implement because you can't munge the email (which various MTAs are prone to do).

Re:

[Milican]

Could you be more specific?

JOhn

Re:

[Matt Perry]

The problem with SPF is that it's really easy to implement, and works really badly.

Hi Russ. Could you elaborate on this point? Why do you think that SPF "works really badly"?

Re: Tries but fails

[Dolda2000]

Since he does not seem to, let me take the chance to elaborate on that one. One of the greatest problems with SPF is that you can't forward messages, so SPF would mean the doom of mailing lists. To be more specific about the problem, if I send a mail to a list, it might come from me@foo.com, and in foo.com's SPF DNS record, I have stated the IP address for the mail servers from which mails are allowed to arrive. The mailing list may check that and be content, but then it forwards it to all its members, using its own mail server, which, of course, isn't recorded in foo.com's SPF record. Hence, all receiving hosts (that support SPF) will refuse the message.

DomainKeys doesn't have a problem with that, though. It signs the message body and a select choice of headers (by default, all headers below the DomainKeys header) with a private key (which is only known to the submit servers). The receiving host checks foo.com's DNS for the public key, and verifies the signature. Obviously, this works with mailing lists as well, since it doesn't matter from which mail server the message arrives. All which matters is that the signature can be verified with the public key in the From address' domain's DNS records.

Naturally, it isn't just mailing lists which run into problems. A lot of mail systems rely on forwarding.

Re:

[eric76]

I don't trust SPF enough to rely on it much. The only thing I use it for is to look up specific domains and find out what e-mail servers they use so I can whitelist those to skip the graylisting.

But any so-called legitimate marketeer can create an SPF record for their domains.

If you want to see how badly spf can be abused by regular ISPs, look at the SPF record for panix.com:

panix.com text = "v=spf1 ip4:166.84.0.0/16 ip4:198.7.7.0/24 ?all"

I assume they just added their entire IP blocks to the SPF rec

Even better

[Applekid]

How about Paypal just gives up sending email?

I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing. Even if Paypal's sending legitimate email, what is it? Emailed receipts? Just what I want hopping from mail server to mail server. Emailed promotions? No thanks, does anyone REALLY want those?

If it's that important, do what businesses have been doing for a good century: certified postal mail. If you don't wanna pay the dollar fifty for it, then it must not be very important and, by definition, it makes it non-essential.

Re:

[RedHat Rocky]

My guess would be even though Paypal never sends email to their customers, they would still end up paying out fraud for folks falling for the phish.

This would be the motivation for Paypal to seek a real fix, the phishing is hitting their bottom line and there's nothing they can directly change; they have to take a global direction.

But of course! (right..)

[Man in Spandex]

Um, no.

If you owned a company who's (almost) exclusive way of communicating with customers is by email, would you give it up and tell the millions who depend on Paypal that they'll receive receipts by the mailman? Yes their customer service is shit so I won't even try to sugarcoat that reality. Right let's send an email to customers in Africa, the receipt for a purchase shall come in by Air-Camel straight from UK!

Yes, fake paypal emails do look very similar sometimes to the real thing, but if you fall for i

Re:

[gad_zuki!]

Heaven forbid they just ask people to get off their butts and manually type in 'paypal.com' Granted, this exposes them to some typo domains, but it sure beats blindly clicking around and handing your authentication info to strangers. I always tell non-techies to always type in their banks name and dont bother trying to decipher whether an email is safe or not.

Paypal is Deceptive

[bill_mcgonigle]

I've seen lots of spoof Paypal emails and some of them look frighteningly close to the real thing

Probably because Paypal is deceptive in their own mails. Here's an excerpt from a recent PayPal mail as rendered by MailScanner [mailscanner.info]:

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be AllPosters.com

MailScanner has detected a possible fraud attempt from "email1.paypal.com" claiming to be TigerDirect.com

Disney's Toontown
Time Consumer Marketing

eBags

Mai

Re:

[FooBarWidget]

"Emailed receipts?"

Yes. I want emailed receipts. I want to be able to search my payment history with GMail. And you forgot things like email address verification - Paypal needs to send emails for that.

Heck, even if they decide not to send emails anymore, then people will still fall for Paypal phishing emails.

Re:

[Anonymous Coward]

My bank sends a couple types of emails. One is a "A statement for your account ending in XXXX has been posted."

Another is "We have sent you a secure message. Log into your account to see it."

The emails are only text, and they never have a link to the bank's website. The two sentences I have quoted above are pretty much the entire contents of the emails.

The bank has trained me that if they have something to tell me, I should go to the site on my own and log into my account like I would for anything else. No

That reminds me..

[Rob T Firefly]

I'm sick of people entering my house through the open front door while I'm away, and stealing all my stuff. I want to make it illegal for people to just walk through open doors.

I know, you're thinking "why don't you just do something about your open front door?" But dammit, I've based my entire security model around having my front door open at all times, and I really can't be bothered to dream up a more secure system than a wide open front door. I'd much rather make it everyone else's problem instead.

Re:

[Aladrin]

Ah, the flawed analogy. Such a fine artform these days.

There is no law involved here. They are -asking- ISPs to do this and help both PayPal and the ISP's customers. There is no law. There is no old woman nagging 'Now don't you do that!'

A better analogy: I'm sick of airports letting people carry knives onto airplanes. I want them to scan and prevent people from carrying them onboard.

Re:That reminds me..

[Fred_A]

Ah, the flawed analogy. Such a fine artform these days.

Yeah it didn't even have a car in it ! Pitiful I say !

Re:

[Rob T Firefly]

Ah, the flawed analogy. Such a fine artform these days.

But two bad analogies don't make a left turn.

Re:

[geekoid]

What I am thinking is that there is a law. Just because someone's door is open doesn't mean you get to enter there home. The exception is places where it is reasonably expected for you to do so..i.e. business.

That, and the fact that your analogy in no way what so ever fits what they are talking about. It's not a poos analogy, it is a wrong analogy.

Re:

[nine-times]

I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures? Wouldn't it be more like: if there were fake police officers going through people's houses and stealing things, and in response then the police department asked citizens not to let police officers into their houses unless those police carried some kind of official ID.

It doesn't sound unreasonable to me.

Re:

[gstoddart]

I'm not sure how this analogy is relevant. Isn't Paypal asking service providers to block Paypal messages that lack signatures?

Well, the problem with this, is unless they can get every service provider to block such messages, it's a worthless system.

See, going to all of the ISPs and saying "help us come up with a secure solution that applies only to us" doesn't solve the general problem or phishing and the like. And, any system which is (mostly) a widespread fix for Paypal doesn't cover all of the other ve

Re:

[nine-times]

My point was, and still is, doing verification on an ISP-level on a one-service-at-a-time basis is a completely worthless system

It's not completely worthless if it stops PayPal phishing. A large percentage of phishing that goes on is pretending to be PayPal or Ebay.

Or you're going to have a whole bunch of individual services all trying to get all of the ISPs to provide authentication for their crap

Not "provide authentication". They're not asking ISPs to devise an authentication service. The service ex

Already is illlegal

[Russ Nelson]

It's already illegal to enter premises where you know you're not invited, even if the door is open. Were it not for the fact that your premise is COMPLETELY WRONG, this would a great satire.

Time to move past SMTP?

[mdboyd]

The issue here seems to be spam/phishing. I wonder if it's time to develop something like SMTP 2.0... an equivalent to a "new" e-mail system completely separate from the current one. Maybe it should have centrally managed servers for stricter authentication? Is the current system defective by design or just in need of some updated techniques?

Re:Time to move past SMTP?

[Trillan]

SMTP is not only defective by design, but defective by requirement.

Wait, that can't be possible!

[raehl]

SMTP is not only defective by design, but defective by requirement.

Nobody ever meets the design requirements!

Next you're going to tell me they were on schedule too!

Re:

[Trillan]

From the RFC #2821 (which defiens modern SMTP):

SMTP mail is inherently insecure in that it is feasible for even fairly casual users to negotiate directly with receiving and relaying SMTP servers and create messages that will trick a naive recipient into believing that they came from somewhere else. Constructing such a message so that the "spoofed" behavior cannot be detected by an expert is somewhat more difficult, but not sufficiently so as to be a deterrent to someone who is deter

Nope. SMTP works fine.

[khasim]

It's just that email is NOT a good method to distribute ALL information.

Rather than re-working an existing system so it is more "effective" in handling a specific case, why not look at how best to handle that specific case?

We've been over this before with regular banks. You need two different channels to confirm a transaction to make it "safe" enough for the average person. Web and phone is good combination.

Re:

[brunascle]

but this is more than just one specific case. even if paypal insituted a never-use-email policy, it wouldnt stop the phishing. even if every financial institution used this policy, it would take a while before the public really understood that they should never trust an email from a financial institution. in the time it would take, we could probably develop a new SMTP that would stop the phishing and the spamming.

yes, it's going to be very hard to completely replace SMTP, but the longer we wait the harde

#1. Define your requirements.

[khasim]

but this is more than just one specific case.

Not really. It's "fraud". That's all.

even if paypal insituted a never-use-email policy, it wouldnt stop the phishing.

Correction: It would not stop the phishing attempts. It could stop the fraud from occurring. And that is the goal, is it not?

even if every financial institution used this policy, it would take a while before the public really understood that they should never trust an email from a financial institution.

Let me give you an example of how to end the f

Re:

[ISurfTooMuch]

It's been time to rework SMTP for a decade now. First, it was open mail servers. Next, it was the lack of any verification that a mail server was in the domain it claimed to be in in its HELO line. Next, it's the lack of a way for the SMTP server to authenticate a connecting user.

For every one of these problems, a solution has had to be cobbled together, usually using a large amount of gum, duct tape, and string.

And how long have people been discussing a replacement to SMTP? I remember posts on this sub

I don't get it.

[jpellino]

Because hovering over the link in the mail is hard?

Re:I don't get it.

[sqlrob]

Right, something like http://update-paypal-security.info/ [update-pay...urity.info] is obviously a phish to the average user.

Re:

[Billosaur]

Perhaps, but your average spoofer isn't going to show that URL in the link; it would probably look more like http://security.paypal.com/ [paypal.com] and the average user isn't going to be aware that the source URL for that link is not the same as what's being displayed.

Re:

[LordSnooty]

That's why OP recommended hovering over the link. But people like my Dad wouldn't know the difference between paypal.com & paypal-user.info. And I'm sure he's the type who gets hit by phishing. As others have suggested, maybe it's time for these companies to revert to more traditional, tried & trusted means of communication. It's not like they aren't making stacks of cash every day.

Re:

[The Cisco Kid]

I suspect the PP's sarcasm was a bit too subtle for you - the point is, that to the average user, "update-paypal-security.info" *DOES* look legitimate.

This is a hard problem, and requires people to acquire skills that they should already have to begin with. I blame Microsoft for making it 'too easy' for people, and people for letting MS lead them by the hand.

Re:I don't get it.

[navyjeff]

Right, something like http://update-paypal-security.info/ [update-pay...urity.info] is obviously a phish to the average user.

I think that link is slashdotted. I tried to update my paypal security info, but the site seems to be down. Anyone got a cached link???

(My karma's gonna burn for this...)

Re:

[Billosaur]

It's not hard, but the fact is, the average user doesn't understand that the path in a link may not go to the place they think it will. The truly web-savvy are knowledgeable but in the minority. What is needed is for email clients to have an option similar to what you see here on Slashdot, where the domain of the link is displayed, although it would need to be expanded to accommodate the intricate URLs spoofer sometimes use. If the average user could see a visual representation of the link, they might be mo

Re:

[eli pabst]

I've seen phishing scam emails using obfuscated javascript for links to the actual phishing sites recently, so that isn't always a tipoff. Your grandma and grandpa aren't going to be able to download the page source and walk through the javascript to see what it's doing.

Re:

[pembo13]

If your email client is running javascript, that is your problem

I like this idea

[jhfry]

Why don't major financial insititutions all create a coalition that does exactly this. This coalition would issue signing certificates for the various members, who will then sign all of their email.

All that mail hosts would need to do is verify that the mail was signed by a valid certificate that was issued by the coalition. One certificate to verify against. The coalition can then issue revocation lists as necessary if a member's certificate is ever comprimised.

Seems like an ideal solution to reduce phishing. It could also be used by other organizations who could have their email signed in a similar way, which might allow these messages to bypass spam filters which would benefit the mail hosts.

I think of it as a way to implement a pseudo whitelist, which is by far the best way to ensure that you don't get spam.

KIE2ES: Keep it End-to-End Stupid

[John.P.Jones]

It should be sufficient to let the client handle this, domain's wishing that all mail from their domain should be signed can ADVERTIZE this fact and clients wishing to RESPECT that advertizement can verify signatures and filter incoming mail accordingly.

I guess I am just old-fashioned eh?

We need "Email 2.0"

[erroneus]

The whole idea of creating a newer, more secure and spam-resistant emailing standard has been out there for a long time. There are limitless "great ideas" on how it can be done but the problem is implementation and integration. We're already stuck in this way of doing things.

But somehow we need to answer the need and perhaps under the premise of protecting financials, there might be some potential for movement. I'm thinking that if a consortium of financial groups got together and decided that from here

Re:

[erroneus]

Where's the check box for "I'm an asshole."?

The huge investment in SMTP is irrelevant compared to the huge loss due to fraud. I believe a group of those most concerned should come together to create a solution.

The whole "multiple response" thing intended to illustrate how redundant people's ideas are is really unwelcome and truly reflects on your arrogant personality. Oddly enough, the snottiest of people are generally pretty unhappy with themselves... hope that works out for you eventually.

Re:

[LordEd]

So how about the 'why should we trust the xyz financial consortium' checkbox? Who is allowed into this consortium? How about somebody who sells viagra online, do they get into it? Will you be happy if Microsoft is part of the group who decides who is allowed to send financial-based communications?

How about the client? Are we going to do some base authentication? Who will hold those servers, and why are they trustworthy? How much will it cost to maintain or buy a license (ie, SSL certificates cost mone

Re:

[erroneus]

Just goes to show that you didn't read my initial 'prayer' before you started forming an opinion and judgement. It included, specifically, leanings to OSS drivings or at the very least capability.

Ultimately, a secure email system that is resistant to spam would have the security built into the open structure, not through obscurity or propriety. There would be means by which sender and servers could be authenticated. Under such a scheme, the receiving server would be able to query the sending authority of

Digital signature is the correct approach

[starfishsystems]

If emails were digitally signed, the identity of the sender would either verify or would fail to verify. This sounds like the correct approach. In competing approaches, the message is tagged in some way, the problem being that such messages can still be forged.

The barrier to acceptance of any signature approach (and there are several) is getting everybody on board, or at least a large enough segment of the user population to make a compelling case for others to follow. Paypal might be that segment, bec

Re:

[jfengel]

It's not quite as easy as it sounds. It hinges on the notion of "purporting to be from Paypal users". It's easy to eliminate cases where the return address is paypal.com but the signature fails. It's harder when the return address is paypa1.com (look closely), and eventually it just devolves to the spam recognition problem, which is known to be hard.

And once you've defined that, the digital signature becomes nearly moot. If it's in the "looks like Paypal" category but links to something other than paypa

Re:

[starfishsystems]

Right. I think you're saying that Paypal signatures can only help with verifying Paypal domains, not domains that might to a casual observer look like Paypal domains. I agree with the implied conclusion that signed email don't eliminate this particular type of phishing scam.

Signed email does, however, eliminate the presently very common and significant type of scam that depends on forging emails from legitimate domains.

Signed email also provides an effective basis for spam control, so I have to disagr

PayPal? What about the parent company, eBay?

[idiosynchronic]

My problem isn't PayPal - it's the frickin' parent company of eBay.

The spam and phishing from PayPal is insignificant compared to the crap I get through eBay should I try to auction or sell off an old computer system. (Next to charity donation, it's the best recycling system I have available) The last 3 auctions I did - it took me 6 weeks to get rid of a Tablet PC because the first auction was terminated by a Nigerian trying to defraud me, the 2nd derailed because of the first's premature termination, a

The funny part

[Lumpy]

Most paypal and ebay scam emails DON'T look legitimate. Most are so poorly formed they stand out as fake. From address is wrong, subject is formatted very differently etc... Anyone that uses Paypal regularly can easily see how bad of a job the scammers do in the fake emails.

Problem is, they are taking advantage of the fact that people like me make up 10% of the total population, the rest fall for it because they don't take the time to be careful.

Good news!

[bziman]

I run my own domain, and while I haven't found a good API for checking domain keys yet, one thing I do is check to see if a domain key signature is present in domains that are known to use them -- for example, if a message claims to be from gmail.com or yahoo.com, I just make sure there is a domain key signature header in the message... no need to validate it. Sure a spammer could put a fake signature in, but then it would be block by the major mail providers.

Granted, this is only a short term solution -- I'm hoping that good support for domain keys appears for Exim before too much longer.

I am also using Sender Policy Framework, as one poster suggested, however it does have two significant limitations. The first limitation is that it doesn't work for forwarded account... for example, I use an @acm.org forwarder for some traffic, which means that the host connecting to my mail server is from acm.org, which won't be listed in the SPF entry for iwanttohireyou.com. There have been some proposed methods for re-writing From lines, but it's really not workable. In my case, I know what servers are allowed to forward mail to my domain, and I simply bypass the SPF check in those cases.

The other problem with SPF, that I see more and more, is that most spammers have stopped putting well known domains in their from lines and are instead using garbage domains, which of course do not have SPF entries. If SPF was universal, then the absence of an SPF entry would tell you something, but it isn't, so it doesn't.

Still, between SPF, domain keys, and well monitored RBLs, you can keep spam to a minimum, and I applaud PayPal for trying to get other ISPs to implement these sorts of controls.

-brian

Mail readers need to improve

[postbigbang]

Ok, class, here's the header, now tell me what's wrong with it:

Date: March 28, 2007 9:36:46 AM EDT
From: admin@paypal.com
Subject: Your PayPal account access is limited.
To:
Reply-To: paypal@paypal.com
Return-Path:
Received: from 10.0.0.2 (ont-static-216.70.173.8.mpowercom.net [216.70.173.8] (may be forged)) by localhost.localdomain (8.12.11.20060308/8.12.11) with SMTP id l2SDfRsJ001136 for ; Wed, 28 Mar 2007 08:41:29 -0500
Received: from by ; Wed, 28 Mar 2007 17:30:46 +0400
Message-Id: >
X-Mailer: Inter

*PGP/GnuPG, anyone?

[ettlz]

And for those of us who already sign our e-mails and publish a public key, why doesn't PayPal simply distribute its public key block on its web-site, using HTTPS so that its integrity is maintained?

Email is Stupid

[objekt]

I've said it before and I'll say it again; email is stupid. I freaking HATE email. It's mostly spam and is rarely useful.

I rely on forums and chats for 99% of my useful communications on the internet.

The whole concept of email needs to be redesigned, as others have pointed out.

Paypal should communicate with users through it's site, NOT through email.

Keys are not the answer..

[eplossl]

Unfortunately, SPF and DomainKeys (DKIM) are not the answer to verifying mail. Currently, as has already been discussed thoroughly, the adoption rate for both of these among legitimate senders of mail has been abysmal. Those few who have adopted these tools are in the minority, and as a result, it is impossible to rely upon these tools as definitive proof that a message is legitimate.

Compounding this problem is the fact that there is NOTHING in place to stop spammers from setting up a SPF record or perhap

Re:

[Blain]

Spam is hard to identify? I'm not sure what you're talking about. I've been using PopFile to sort my email for quite a long time, in both high-spam periods and low-spam periods, and it's been more than 99% accurate almost all of that time (more than 90% accurate within a week even on low volume with a little training). It took about three messages to train it to tell phish from spam.

I've been curious as to why providers like gmail and hotmail don't check to see if a message being sent to some threshold n

So why is paypal still *testing*??

[Russ Nelson]

If you look at their _domainkey.paypal.com record, it looks like this:

_domainkey.paypal.com. 3600 IN TXT "t=y\; o=~"

The t=y value says that they're still just testing. According to the DomainKeys standard, that means that you're not supposed to take any action based on the result of checking the DomainKeys signature.

GNUPG

[Randseed]

Why the frak don't they just use PGP/GnuPG? Cripes.

Sounds fair to me

[phorm]

I've gotten plenty of spams that look exactly like the paypal "you have paid X" emails. The only difference is that the site it links to is not paypal, but one intended to snarf your password.

It's always worth checking out when you get a notification that a possibly-fraudulant purchase has been made. In my case I just go directly to paypal in my browser (without using the link in the email) and check my account, but I'd bet a lot of people might get suckered by this one.

Is there a way to enable signatur

they need to 'hard fail all' in their SPF record

[marvinglenn]

The first thing they should do is change the "~all" to "-all" at the end of their SPF [openspf.org] records.

paypal.com. 3600 IN TXT "spf2.0/pra mx include:s._sid.ebay.com include:m._sid.ebay.com include:p._sid.ebay.com include:c._sid.ebay.com include:spf-2._sid.paypal.com ~all"
paypal.com. 3600 IN TXT "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

DomainKeys my A**

[l3v1]

Honestly, I don't want no companie's own e-mail verification system. People - yes, real people, and surprise surprise quite a lot of us - use GPG for signing and encrypting e-mails and everything else, and there are lots of freely usable keyservers out there. But hell would freeze over if any company with their bucks dropping out from their a**es would ever just use a proven, available and easy way of e-mail signing. Just give all your users keys and you're done, they don't even have to know they have one.

DomainKeys

[DaMattster]

On its face, this seems like a good idea. But, there are bound to be problems related to interoperability with the various SMTP server implementations. Don't everyone groan at once when I mention M$ Exchange. I have thought of suggesting using OpenPGP but any joe blow could create a PGP public/private key-pair that purports to be from Paypal and use that key to send out phishing emails. I suppose Paypal could include a fingerprint of its key but I am not really sure. S/MIME might also be another option for digital signing.

Re:How about just block emails from paypal?

[DrLov3]

How dare they do this, imspeech the people sending emails to me(scammer or not), I need those emails, thier futile attemps to get my money is detectable at the naked eye, I need those for my weekly laughter at thier incompetence, keeps me cheered up, otherwise I might go on a killing spree or something, and paypal will be held accountable for the death and violence.

I mean why on earth would a third party have the right to request that I stop recieving my emails.

Re:

[networkBoy]

Fair enough.
I run a script that loads their page mercilessly and attempts to log in through their proxy/spoof with random credentials.
It's a practice that's gotten me DOS'd more than once.

But your average joe sixpack is susceptible to these scams, and as such I like what ebay corp. is attempting to do.
-nB

Re:How about just block emails from paypal?

[The Cisco Kid]

Someone one said "A fool and his money are soon parted".

Joe Sixpack needs to get off his ass, and actually learn something about the tool (yes its a TOOL, not a toy) he is using to send/receive REAL money to/from other people. If he is too lazy/ignorant/unmotivated to do that, then he will get ripped off, and its not ebay, paypal, or the government's job to protect him from his own stupidity.

Re:

[miskatonic alumnus]

Where is he going to learn it?

If we consider the shabby level of education received by Joe-6-pack in the American school system, it's doubtful that the poor bastard is familiar with the most basic methods of research. If it ain't on television, he probably hasn't got a clue about it.

Over the decades our socio-economic system has moved in a direction that requires people to be increasingly dependent upon that system for nearly everything --- food, information, health care, appliance and automobile mainten

Re:How about just block emails from paypal?

[indifferent children]

...medicate themselves...

They're willing to try. That's why the Dremel tools come with a warning, "This is not a dental tool."

Re:

[networkBoy]

If it ain't on television, he probably hasn't got a clue about it.

If it ain't on television and sufficiently entertaining, he probably hasn't got a clue about it.
PBS has some very educational shows out there, but I would postulate that Joe goes "ewwww educational crap" and changes the channel faster than the speed of light. Any research Joe puts forth is likely how to delete the educational channel(s) from the TV's autoscan list (in a fit of irony).
-nB

Re:

[MBGMorden]

Please. I went to a public school South friggen Carolina. We were (at the time) ranked one of the lowest states in education nationwide. Did I have some trouble transitioning into college course? A little, but I did fine in the end. Could the education have been better? Yes. That being said, people make WAY too much fuss over how "bad" the education system is in the US. I might have a shotgun and a pack of hunting dogs, but I also know very well what String Theory and Hawking Radiation are :). We h

Re:How about just block emails from paypal?

[miskatonic alumnus]

That being said, people make WAY too much fuss over how "bad" the education system is in the US.

I'm in a position to criticize this education system, having spent 12 years attempting to teach mathematics (including remedial mathematics) to its graduates. I've spoken with the students and their previous instructors, and determined that their public school teachers don't understand the material they "teach". My colleagues who teach history, art, biology, political science, and English say the students do little better in those areas. So yeah, the schools suck --- except when it comes to sports, of course.

You want to accuse "Joe-6-pack" of being stupid then go right ahead, but it's a result of his own choices. Anybody who wants to learn in an American school can still do fairly well.

Here's the rub --- in order to make an informed, rational, intelligent choice you have to be educated. It's a vicious circle: bad decisions lead to ... more bad decisions. You can't bootstrap yourself from an illiterate, innumerate dunce to a Bill Gates or Einstein without a proper support network. Some are capable of doing more with less, but you can't just throw a computer or a book at a child, say "Teach thyself!" and expect good results.

Re:How about just block emails from paypal?

[miskatonic alumnus]

What next? If a person can't keep from being killed, he shouldn't be alive in the first place? What's with this blaming the victim? How about we get some decent security as part of the e-mail infrastructure? How about we ramp up prosecution of these thieves?

I'll tell you a little story. Once I was operating a cash register, and got conned by a change-raising artist. How humiliating. I guess I shouldn't handle cash.

Re:

[eli pabst]

While I agree with you to an extent, if there are trivial measures that you can implement to stop this then why wouldn't you?

Plus many of the phishing scams are actually becoming rather complex. Many are now linking images directly from the targets website so that they look fairly legitimate and then use tricks like obfuscated javascript for the link to the phishing site itself so that a cursory "put mouse over link and see where it goes" isn't going to be a clear tipoff to joe sixpack.

We've been through this before

[Beryllium Sphere(tm)]

Coins, money, checks and stock certificates have all been forged. One option would have been blaming the victims. Instead the industries involved developed anti-forgery technology and deployed it.

Today email is being forged for criminal gain. The anti-forgery technology already exists. Paypal is negotiating with their business partners to get it deployed.

We all benefit from closing off easy opportunities for crime. Blaming the victim doesn't work very well in the case of a pharming attack anyway.

Re:

[account_deleted]

Comment removed based on user account deletion

Re:

[Goaway]

Just what is "imspeech" supposed to mean? I honestly can't figure it out.

Re:

[Spazmania]

Easier said than done. How do their systems know that an email purports to be from paypal? The fact that it says "paypal"? This post would be blocked. That there is a link to paypal? The link isn't to paypal; its to the phishing site. If there was a way to "know" that an email purported to be from paypal, most of these services would already block it due to Paypal's SPF records.

Re:

[Jimmy King]

The same way the SPF records catch them, most of them I get claiming to be from paypal have a paypal.com e-mail address as the from address.

Re:

[Spazmania]

Then they don't need domain keys, do they? They could just drop messages with paypal.com in the from address that fail SPF.

Except if you check closely, the messages probably didn't use paypal.com in the envelope sender; they probably only used it in the From header. This means that if the service blocked those messages then anybody agregating multiple email addresses in to one mailbox would see their messages fail at the forwarder.

Re:

[Jimmy King]

Then they don't need domain keys, do they? They could just drop messages with paypal.com in the from address that fail SPF.

My understanding of the article is that using SPF might be considered a valid protection. DomainKeys is the only thing specifically mentioned but the article does say "several technologies". While SPF isn't digital signing, I wouldn't be surprised if it is included in that list. Basically asking providers to use one or more of a variety of technologies to help with the problem.

Except

Re:

[Jimmy King]

Dammit, I hate when I forget to preview first. I missed a set of blockquote tags, so just in case that above post is unclear, here's where the second blockquote should have been.

Except if you check closely, the messages probably didn't use paypal.com in the envelope sender; they probably only used it in the From header. This means that if the service blocked those messages then anybody agregating multiple email addresses in to one mailbox would see their messages fail at the forwarder.

Just to make sure I'm

Re:

[Spazmania]

you mean as in if I had say 5 e-mail address and each of them forwarded the e-mail to me@myemail.com so that I could check them all in one place and my real paypal e-mails were being sent to one of those original 5?

Correct. Its a relatively common occurance: you have everything going to me@myisp.com but you start using me@gmail.com instead so you have your ISP forward everything that goes to me@myisp.com to me@gmail.com.

If that's the case I'm guessing that Ebay/Paypal are just betting on there being a minim

Re:

[Jimmy King]

Debatable, but even if it was perfectly true it doesn't open an avenue to a solution. The odds of Joe User noticing that the email really came from accounts@ppaypal.com aren't very good. After all, he already missed the fact that the url links to http://12323984378/steal/my/info.php [12323984378] [12323984378].

Unless the provider uses domain keys or the like for ALL email (not just email @paypal.com) paypal's problem isn't addressed. That means every mail server operator, even the home hobbiest, has to subscribe to some

Re:

[Bassman59]

That means every mail server operator, even the home hobbiest ...

Buy a fucking dictionary, will ya? (Or at least use Firefox and its built-in spell check.)

"hobbiest"

[burndive]

I think he was referring to their hobbit-like smallness.

Re:

[Fulcrum of Evil]

That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

I'm just a hobbier, not a hobbiest. Of course, public key stuff means you just have to generate a keypair and put the public one in your domain record.

Re:

[suggsjc]

That means every mail server operator, even the home hobbiest, has to subscribe to some third-party authentication service like domain keys.

Yes, but no.
Only the mail server operators that want to prevent phishing scams targeting PayPal would have to implement "some third-party authentication."

I understand what you are saying, and coming up with a solution that only solves a very specific problem (or subset or a problem) isn't very efficient. But if the big players like google, yahoo, microsoft all did

Re:

[WoodstockJeff]

If there was a way to "know" that an email purported to be from paypal, most of these services would already block it due to Paypal's SPF records.

Not true - paypal.com and ebay.com both end their SPF record with "~all" (i.e., "softfail any address not listed"), which won't be bounced by most SPF implementations. Until they change it to "-all" (which they probably do because they're not really sure they've covered all machines that could send legitimate mail for paypal.com), you can not safely bounce imp

Re:

[Asgard]

The mere existence of a DomainKeys header does not mean the message is genuine -- you have to check the signature for validity. If you are getting spam that purports to be from a domain that it obviously isn't yet has a valid DomainKeys header, then that is a much bigger deal. I suspect in your case someone copied a header from a valid message. The header should process as invalid.

Re:

[Spazmania]

You're missing the point. The email can be from "Paypal Accounting Department <accounts@[127.0.0.1]>." Joe User isn't going to notice the difference and there is no SPF record blocking anything from @[127.0.0.1].

Paypal only sees anti-fraud benefits if all email uses a third-party authentication service like Domain Keys. Then once the phishing is discovered you can go to the third party and find out who the key belongs to. Phishing theoretically becomes like robbing a bank without a mask: its relativel

Re:

[Aladrin]

Enforce? Who said anything about enforcing? If they can simply get the major ISPs (AOL, Earthlink, MSN, etc) to agree to do this server-side, that'll leave only businesses and people smart enough to have their own domain that don't have this protection. It will remove the majority of the phishing.

This is not a customer-side solution, so they aren't trusting users with anything.

Do I think it's a good idea or even that it'll happen? Not really. But it's a nice gesture from a company who is usually just c

Re:

[nuzak]

> At the moment, since mail clients don't know anything about DomainKeys, we have NO WAY of knowing if mail really is from PayPal.

Domainkeys don't need support in the MUA -- the MTA can discard messages failing a domainkey check before it even gets to the user.

If Paypal is officially saying "drop all mail from an address @paypal.com that doesn't have a domainkey", I'll be happy to oblige. I'll bet you a stack of gold bars (smuggled out of Nigeria of course) that they have third-party marketers that don'

Re:

[nuzak]

> Since DomainKeys are not part of SMTP and since - other than a verbal/written PayPal request - there is no requirement for SMTP servers to discard unsigned e-mails,

You seem to be under the impression that MTA == SMTP server. Their job is to transfer messages: policy regarding transfer (including whether it's transferred at all) is part of the package, and RFC2822 headers have been the province of the MTA from day 1 (Received headers for instance). Some MTAs even speak other protocols.

I do this stuff