SMS The Latest Tool To Help Smokers Quit? >>
<< Oh No, US Falls Behind Denmark In Terms Of...
 tdicon 


Email

by Joseph Weisenthal

Thu, Mar 29th 2007 5:10pm





PayPal Battling Back Against The Phishers

from the paypalcom.ru dept

The idea of authenticating email as a means of stopping spam and phishing has been talked about for some time, but for various reasons, including standards disputes, the concept hasn't really gone anywhere. Now PayPal, the most popular target among phishers, is proposing a slightly different take on the concept that sounds sort of interesting. The company is urging popular webmail providers like Google and Yahoo to automatically deny any emails coming from a @paypal.com address unless it's authenticated with an established digital signature. So far, the company hasn't gotten any takers, but it would be an interesting experiment to try. Of course, this wouldn't stop attackers from sending emails from different addresses that looked like PayPal's, but these are likely to be less effective anyway. Ultimately, no one solution is going to be a magic bullet for stopping phishing, but anything that can reduce its volume while still allowing legitimate email to get through is a step in the right direction.

13 Comments | Leave a Comment..


If you liked this post, you may also be interested in...
 

Reader Comments (rss)

(Flattened / Threaded)

  1.  

    Hax

    identicon
    Buzz, Mar 29th, 2007 @ 5:31pm

    I have received so many PayPal phishing attempts, it is disgusting. My wife and I even had some UK woman bid on our item (despite us not offering an International shipping option) and attempt to send us a PayPal email claiming that the money would go through once we shipped the item. Having plenty of eBay experience, we knew that this was totally bogus. Not only do buyers ALWAYS pay first, she was avoiding the eBay channels of communication; she was sending emails and stuff.

    reply to this | link to this | view in thread ]

  2.  

    do what the blogs do

    identicon
    Ayal Rosenthal, Mar 29th, 2007 @ 6:29pm

    There are various blogs using many different, effective authentication methods. The large techs can learn something from the little guys.

    reply to this | link to this | view in thread ]

  3.  
    identicon
    RandomThoughts, Mar 29th, 2007 @ 6:55pm

    Authentication is a two way street. The site/bank/paypal has to authenticate the user, but there has to be a way for the user to authenticate the site also.

    reply to this | link to this | view in thread ]

  4.  

    re:do what the blogs do

    identicon
    Nick Burns, Mar 29th, 2007 @ 6:55pm

    and what are these effective blog-used authentication methods? are you talking about the crypto-spelling-match-from-a-picture thing? that is only a measure to verify that the person filling out a form is an actual human. that process can not be applied to authenticating email messages.

    paypal could instead borrow a page from banks... put an inbox in your account and send only notification messages to the user's email address. tell them in the notification emails that they have a new message in their paypal account inbox. internalize the messaging system.

    otherwise, this idea sounds like it has the potential to work, but they should drop the whole "block the email part". the blocking part makes this solution hard to implement industry- or internet-wide. it requires each email service to maintain a list of domains to block without a cert.

    http://opinionone.blogspot.com

    reply to this | link to this | view in thread ]

  5.  
    identicon
    Conrad, Mar 29th, 2007 @ 7:34pm

    Is this not what SPF already does?

    The paypal spf record:

    "v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

    Just change that to -all and problem solved.

    reply to this | link to this | view in thread ]

  6.  

    hmm...

    identicon
    Tracker1, Mar 30th, 2007 @ 1:03am

    I have to agree with Contrad here... that would resolve it on servers that actually check SPF...

    reply to this | link to this | view in thread ]

  7.  

    Bigger problem requires bigger solution

    identicon
    Glenn, Mar 30th, 2007 @ 11:28am

    It's possible that Paypal can negotiate a digital signature with the big boys, but everyone can. We are all being deluged with more and more spam, and there needs to be a way to filter out the stuff I want to read from the other crap. Yahoo, Gmail, Aol, etc have been taking their own approach to this, using graphical filters and spam filters that are mystical to most users.

    As more companies embrace email as an integrated marketing channel, users will only have eyes for a few select messages. And the wider scope of this issue is how to put that control back with the reader; not the sender.

    reply to this | link to this | view in thread ]

  8.  

    Paypal

    identicon
    L, Mar 30th, 2007 @ 12:54pm

    Paypal really oughta concentrate on fixing their user database first. It seems almost every week I have to log on and change my password again!

    reply to this | link to this | view in thread ]

  9.  
    identicon
    Anonymous Coward, Mar 30th, 2007 @ 12:56pm

    Most of these e-mail "authentication" schemes boil down to a money-making system that charges people some sort of "licensing" or "registration" fee to send e-mail. Paypal is promoting yet another of these schemes. In this case there are several patents on the process they are encouraging the webmail providers to adopt. I wish I could get all the webmail providers to reject any e-mail that didn't have _my_ approval. I'd be rich!

    reply to this | link to this | view in thread ]

  10.  

    Re: Paypal

    identicon
    Anonymous Coward, Mar 30th, 2007 @ 12:59pm

    Paypal really oughta concentrate on fixing their user database first. It seems almost every week I have to log on and change my password again!
    You too?
    :D

    reply to this | link to this | view in thread ]

  11.  

    fake paypal emails?

    identicon
    If the various web-mails (yahoo, gmail, etc) can already detect junk mail with some accuracy, it seems to me that they and microsoft outlook could also detect an attempt to phish. We get the same paypal emails several times a week - or the bank-of-america one. pain in the neck.

    reply to this | link to this | view in thread ]

  12.  

    Is this PayPal logon page a fake ????

    identicon
    John Q. Netizen, Sep 18th, 2007 @ 7:49am

    Is this PayPal logon page a fake ???? http://login3.paypalglobaldatabase.com/cgi-bin/webscr.php?cmd=_login-run The link was sent in e-mail This page: http://paypalglobaldatabase.com/ Shows: paypalglobaldatabase.com This page is parked free, courtesy of GoDaddy.com

    reply to this | link to this | view in thread ]

  13.  

    megaupoad downloading

    identicon
    rendom, Feb 10th, 2009 @ 11:34am

    One of the best file centers is Megaupload! For a proper search and downloading use http://megaupload.name/

    reply to this | link to this | view in thread ]


Add Your Comment

Have a Techdirt Account? Sign in now. Want one? Register here
Get Techdirt’s Daily Email
Save me a cookie
  • Note: A CRLF will be replaced by a break tag (<br>), all other allowable HTML will remain intact
  • Allowed HTML Tags: <b> <i> <a> <em> <br> <strong> <blockquote> <hr> <tt>


SMS The Latest Tool To Help Smokers Quit? >>
<< Oh No, US Falls Behind Denmark In Terms Of...
 tdicon 

A word from our Sponsors...
Follow Techdirt
Flattr rss rss

Powered by Postrank

From the Techdirt Archive...
A word from our Sponsors...

Close

Email This