PayPal Battling Back Against The Phishers

from the paypalcom.ru dept

Thu, Mar 29th 2007 5:10pm — Joseph Weisenthal

The idea of authenticating email as a means of stopping spam and phishing has been talked about for some time, but for various reasons, including standards disputes, the concept hasn't really gone anywhere. Now PayPal, the most popular target among phishers, is proposing a slightly different take on the concept that sounds sort of interesting. The company is urging popular webmail providers like Google and Yahoo to automatically deny any emails coming from a @paypal.com address unless it's authenticated with an established digital signature. So far, the company hasn't gotten any takers, but it would be an interesting experiment to try. Of course, this wouldn't stop attackers from sending emails from different addresses that looked like PayPal's, but these are likely to be less effective anyway. Ultimately, no one solution is going to be a magic bullet for stopping phishing, but anything that can reduce its volume while still allowing legitimate email to get through is a step in the right direction.

Thank you for reading this Techdirt post. With so many things competing for everyone’s attention these days, we really appreciate you giving us your time. We work hard every day to put quality content out there for our community.

Techdirt is one of the few remaining truly independent media outlets. We do not have a giant corporation behind us, and we rely heavily on our community to support us, in an age when advertisers are increasingly uninterested in sponsoring small, independent sites — especially a site like ours that is unwilling to pull punches in its reporting and analysis.

While other websites have resorted to paywalls, registration requirements, and increasingly annoying/intrusive advertising, we have always kept Techdirt open and available to anyone. But in order to continue doing so, we need your support. We offer a variety of ways for our readers to support us, from direct donations to special subscriptions and cool merchandise — and every little bit helps. Thank you.

–The Techdirt Team

13 Comments

If you liked this post, you may also be interested in...

Reader Comments

Subscribe: RSS

View by: Time | Thread

Buzz, 29 Mar 2007 @ 5:31pm

Hax
I have received so many PayPal phishing attempts, it is disgusting. My wife and I even had some UK woman bid on our item (despite us not offering an International shipping option) and attempt to send us a PayPal email claiming that the money would go through once we shipped the item. Having plenty of eBay experience, we knew that this was totally bogus. Not only do buyers ALWAYS pay first, she was avoiding the eBay channels of communication; she was sending emails and stuff.
[ link to this | view in chronology ]
Ayal Rosenthal, 29 Mar 2007 @ 6:29pm

do what the blogs do
There are various blogs using many different, effective authentication methods. The large techs can learn something from the little guys.
[ link to this | view in chronology ]
RandomThoughts, 29 Mar 2007 @ 6:55pm

Authentication is a two way street. The site/bank/paypal has to authenticate the user, but there has to be a way for the user to authenticate the site also.
[ link to this | view in chronology ]
Nick Burns, 29 Mar 2007 @ 6:55pm

re:do what the blogs do
and what are these effective blog-used authentication methods? are you talking about the crypto-spelling-match-from-a-picture thing? that is only a measure to verify that the person filling out a form is an actual human. that process can not be applied to authenticating email messages.

paypal could instead borrow a page from banks... put an inbox in your account and send only notification messages to the user's email address. tell them in the notification emails that they have a new message in their paypal account inbox. internalize the messaging system.

otherwise, this idea sounds like it has the potential to work, but they should drop the whole "block the email part". the blocking part makes this solution hard to implement industry- or internet-wide. it requires each email service to maintain a list of domains to block without a cert.

http://opinionone.blogspot.com
[ link to this | view in chronology ]
Conrad, 29 Mar 2007 @ 7:34pm

Is this not what SPF already does?

The paypal spf record:

"v=spf1 mx include:s._spf.ebay.com include:m._spf.ebay.com include:p._spf.ebay.com include:c._spf.ebay.com include:spf-1.paypal.com ~all"

Just change that to -all and problem solved.
[ link to this | view in chronology ]
Tracker1, 30 Mar 2007 @ 1:03am

hmm...
I have to agree with Contrad here... that would resolve it on servers that actually check SPF...
[ link to this | view in chronology ]
Glenn, 30 Mar 2007 @ 11:28am

Bigger problem requires bigger solution
It's possible that Paypal can negotiate a digital signature with the big boys, but everyone can. We are all being deluged with more and more spam, and there needs to be a way to filter out the stuff I want to read from the other crap. Yahoo, Gmail, Aol, etc have been taking their own approach to this, using graphical filters and spam filters that are mystical to most users.

As more companies embrace email as an integrated marketing channel, users will only have eyes for a few select messages. And the wider scope of this issue is how to put that control back with the reader; not the sender.
[ link to this | view in chronology ]
L, 30 Mar 2007 @ 12:54pm

Paypal
Paypal really oughta concentrate on fixing their user database first. It seems almost every week I have to log on and change my password again!
[ link to this | view in chronology ]
- Anonymous Coward, 30 Mar 2007 @ 12:59pm
  
  Re: Paypal
  Paypal really oughta concentrate on fixing their user database first. It seems almost every week I have to log on and change my password again!
  You too?
  :D
  [ link to this | view in chronology ]
Anonymous Coward, 30 Mar 2007 @ 12:56pm

Most of these e-mail "authentication" schemes boil down to a money-making system that charges people some sort of "licensing" or "registration" fee to send e-mail. Paypal is promoting yet another of these schemes. In this case there are several patents on the process they are encouraging the webmail providers to adopt. I wish I could get all the webmail providers to reject any e-mail that didn't have _my_ approval. I'd be rich!
[ link to this | view in chronology ]
MPMsoft Medical Billing Software Systems, 21 Jun 2007 @ 7:50pm

fake paypal emails?
If the various web-mails (yahoo, gmail, etc) can already detect junk mail with some accuracy, it seems to me that they and microsoft outlook could also detect an attempt to phish. We get the same paypal emails several times a week - or the bank-of-america one. pain in the neck.
[ link to this | view in chronology ]
John Q. Netizen, 18 Sep 2007 @ 7:49am

Is this PayPal logon page a fake ????
Is this PayPal logon page a fake ???? http://login3.paypalglobaldatabase.com/cgi-bin/webscr.php?cmd=_login-run The link was sent in e-mail This page: http://paypalglobaldatabase.com/ Shows: paypalglobaldatabase.com This page is parked free, courtesy of GoDaddy.com
[ link to this | view in chronology ]
rendom, 10 Feb 2009 @ 11:34am

megaupoad downloading
One of the best file centers is Megaupload! For a proper search and downloading use http://megaupload.name/
[ link to this | view in chronology ]