PayPal Battling Back Against The Phishers

from the dept

The idea of authenticating email as a means of stopping spam and phishing has been talked about for some time, but for various reasons, including standards disputes, the concept hasn’t really gone anywhere. Now PayPal, the most popular target among phishers, is proposing a slightly different take on the concept that sounds sort of interesting. The company is urging popular webmail providers like Google and Yahoo to automatically deny any emails coming from a address unless it’s authenticated with an established digital signature. So far, the company hasn’t gotten any takers, but it would be an interesting experiment to try. Of course, this wouldn’t stop attackers from sending emails from different addresses that looked like PayPal’s, but these are likely to be less effective anyway. Ultimately, no one solution is going to be a magic bullet for stopping phishing, but anything that can reduce its volume while still allowing legitimate email to get through is a step in the right direction.

Rate this comment as insightful
Rate this comment as funny
You have rated this comment as insightful
You have rated this comment as funny
Flag this comment as abusive/trolling/spam
You have flagged this comment
The first word has already been claimed
The last word has already been claimed
Insightful Lightbulb icon Funny Laughing icon Abusive/trolling/spam Flag icon Insightful badge Lightbulb icon Funny badge Laughing icon Comments icon

Comments on “PayPal Battling Back Against The Phishers”

Subscribe: RSS Leave a comment
Buzz says:


I have received so many PayPal phishing attempts, it is disgusting. My wife and I even had some UK woman bid on our item (despite us not offering an International shipping option) and attempt to send us a PayPal email claiming that the money would go through once we shipped the item. Having plenty of eBay experience, we knew that this was totally bogus. Not only do buyers ALWAYS pay first, she was avoiding the eBay channels of communication; she was sending emails and stuff.

Nick Burns (user link) says:

re:do what the blogs do

and what are these effective blog-used authentication methods? are you talking about the crypto-spelling-match-from-a-picture thing? that is only a measure to verify that the person filling out a form is an actual human. that process can not be applied to authenticating email messages.

paypal could instead borrow a page from banks… put an inbox in your account and send only notification messages to the user’s email address. tell them in the notification emails that they have a new message in their paypal account inbox. internalize the messaging system.

otherwise, this idea sounds like it has the potential to work, but they should drop the whole “block the email part”. the blocking part makes this solution hard to implement industry- or internet-wide. it requires each email service to maintain a list of domains to block without a cert.

Glenn says:

Bigger problem requires bigger solution

It’s possible that Paypal can negotiate a digital signature with the big boys, but everyone can. We are all being deluged with more and more spam, and there needs to be a way to filter out the stuff I want to read from the other crap. Yahoo, Gmail, Aol, etc have been taking their own approach to this, using graphical filters and spam filters that are mystical to most users.

As more companies embrace email as an integrated marketing channel, users will only have eyes for a few select messages. And the wider scope of this issue is how to put that control back with the reader; not the sender.

Anonymous Coward says:

Most of these e-mail “authentication” schemes boil down to a money-making system that charges people some sort of “licensing” or “registration” fee to send e-mail. Paypal is promoting yet another of these schemes. In this case there are several patents on the process they are encouraging the webmail providers to adopt. I wish I could get all the webmail providers to reject any e-mail that didn’t have _my_ approval. I’d be rich!

Add Your Comment

Your email address will not be published. Required fields are marked *

Have a Techdirt Account? Sign in now. Want one? Register here

Comment Options:

Make this the or (get credits or sign in to see balance) what's this?

What's this?

Techdirt community members with Techdirt Credits can spotlight a comment as either the "First Word" or "Last Word" on a particular comment thread. Credits can be purchased at the Techdirt Insider Shop »

Follow Techdirt

Techdirt Daily Newsletter

Techdirt Deals
Techdirt Insider Discord
The latest chatter on the Techdirt Insider Discord channel...