back to article Gmail uses DomainKeys to lock out eBay phishing attacks

eBay and PayPal have linked up with Gmail to roll out technology designed to block fraudulent emails and phishing attacks. DomainKeys and DomainKeys Identified Mail (DKIM) email authentication technology is being used to prevent the delivery of bogus messages posing as emails from eBay and PayPal into Gmail users' inboxes. …

COMMENTS

This topic is closed for new posts.
  1. Craig Foster

    What about SPF

    I use SPF quite a bit, and it usually dumps the paypal and ebay scams quickly.

    There's also not much overhead, other than dns (since we're doing rbl lookups anyway)

  2. Paul

    Thats all very well

    but how does it help me get my share of 30 million dollars (US) out of the Bank of Nigeria ?

  3. shay mclachlan

    @Thats all very well

    'but how does it help me get my share of 30 million dollars (US) out of the Bank of Nigeria ?'

    I hate to see a person such as yourself suffer a misfortune like this. For sure and I can help you with that, all you need to do is email me your bank account details & I will sort it for you.

  4. Anonymous Coward
    Happy

    Hang on!

    Who are they to inercept my email?!?

    I want all of my email delivered, not rifled through by my postie who then decides in a crackpot fashion which is suitable for me to read.

    Send all the spam through!

    I Love It!!!

  5. The Cube
    Stop

    'eBay finally implements basic email security solution years after it became available'

    DKIM is not specific to eBay or Gmail, I have had it with our email inspection provider Citrus for well over a year. As already commented SPF should also be implemented, honestly how hard is it to create a dns record? That eBay and PhishPal have only just been arsed to implement some of the basics of email security is all the evidence you need that they couldn't give a toss about their customers being defrauded. This extends to all the retail banks, next time one of them bleats on about 'customer care' or 'security' ask them why they have not deployed simple measures such as this, there is no downside for customers who do not have DKIM or SPF capability, the answer is that the banks don't give a monkeys about phishing either.

    Oh, and if some Micro$oft muppet turns up bleating on about 'Sender ID' explain to them that there was an existing, public, royalty free standard called SPF and that implementing a Micro$oft specific 'standard' and then refusing to support anything else won't help them or the rest of the world and no, you won't be coming to shore up their monopoly. If that doesn't get rid of them then ask about their pay to spam program on Hotmail where you can pay to 'register' your domain so email gets through and them spam all you like.

  6. Stephen Stagg
    Paris Hilton

    @Paul

    Actually, I have a contact working in the Bank of Nigeria who assures me that your $ 30 million (US) are secured, and awaiting transfer immediately to your bank account should you wish to recieve it. Just send a signed letter, including your bank account number, NI Number, Pin Number, date of birth, 3 utility bills, a photocopy of your passport, and your driving licence to:

    D OdgyForkers, London. PO BOX 666

    And await your millions.

  7. Anonymous Coward
    Paris Hilton

    eBay and Paypal DNS issues

    If those twats got their mail servers DNS records setup properly then all mail servers could just reject out of hand any email claiming to come from their servers where the reverse DNS fails. Trouble is since eBay and Paypal are run by amatuers who shouldn't even be allowed on the internet, some mail servers are correctly configured and others aren't (note the lack of consistency here !). Get that sorted and it's not just Gmail who would benefit.

    Trouble is eBay is to busy aiding and abetting in the selling of counterfeit goods (according to the EU) to bother with troublesome little things like security.

    Only one auction site on the 'net, just like there is only one Paris all over the 'net

  8. Dan K
    Paris Hilton

    "Dramatic reduction"...

    ...I somehow doubt it. Around 90% of the spoofed emails I get are not from paypal.com or ebay.com.

    Paris, cause she doesn't engage in pointless PR.

  9. Joe Montana

    ebay investigations

    When you file a claim under ebay's "buyer protection" plan, they send you a mail some time later asking you to fax off details of the transaction to them... This mail sometimes comes from a completely different address range to normal ebay mails, is formatted slightly differently, and likely wont have this domainkeys on it either...

    The mail has a deadline, ie you must fax the details they ask for within 14 days or your claim will be denied, but because the mail looks suspicious and asks you to send personal information to an arbitrary phone number some people will question it's validity.... ebay won't answer this question, i asked several times and got no response resulting in my claim being cancelled.

  10. Gordon Fecyk
    Go

    @TheCube, re: SPF

    "Oh, and if some Micro$oft muppet turns up bleating on about 'Sender ID' explain to them that there was an existing, public, royalty free standard called SPF."

    Um... what do you think Sender ID is, besides Microsoft-branded SPF?

  11. Herby

    A couple of things that always help...

    Plain text email (no HTML!)

    Be VERY wary of ANY email that is addressed to "Undisclosed Recipients".

    If the eBay/PayPal people would do the first, it would cut down on traffic, and be "safer". Of course anything helps!

  12. Kevin McMurtrie Silver badge
    Thumb Down

    Turn that filter around, please

    This is all funny because Google is the biggest origin of spam that I've ever seen. I have all of their mail servers blocked from my mail account to stop the junk flood. Their Usenet service spews thousands of CC phishing posts and spams a day. The infamous Nike shoe phisher has been using Google for years. Google doesn't care how much spam they send as long as it doesn't come back to them.

  13. Anonymous Coward
    Anonymous Coward

    SPF is a as much of a problem as spam.

    "there was an existing, public, royalty free standard called SPF"

    SPF is hardly a "standard" - it's a half-arsed way to break an existing standard, and breaks a significant amount of legitimate e-mail. (Or it would if it was implemented rigourously, which it isn't, because it dumps too much legitimate e-mail).

  14. Olivier
    Paris Hilton

    @spf

    Basically SPF is designed to verify that the *ip address* sending an email to an smtp server is "compliant" with a proper *enveloppe*. The enveloppe does not appear in the content of an email.

    There are several big problems with this:

    a) only the enveloppe is verified, and the enveloppe does not show in the emails in your mailbox, so it does nothing against phishing etc.

    b) since it can be very problematic to block ip addresses the spec implements a "soft fail" feature which basically allows bypassing the spf checks. Millions of domains have no spf records, or have records allowing "soft fail". So it is very easy for spammers to pass spf checks.

    DKIM / DomainKeys do not check ip addresses nor enveloppes, only headers and body of emails. The big issue ( imho ) with them are:

    a) implementation costs for sender. Far from trivial, many buggy/crappy tools and libs here and there, few efficient implementations, and a configuration is required per domain on each server which will send your emails..

    b) cpu costs for the sender. If you send many emails, it is very expensive in terms of ressource to compute these signatures

    c) few recipients check these records anyway. Yahoo and Gmail does, but not hotmail, aol, outlook ..

    d) Anyway, a lot of spam and fishing emails are sent with perfect DKIM / Domain Keys records. You just have to send these emails via yahoo or gmail. And *lot* of spam is sent via these accounts. Nothing prevents from sending an email which *looks* like coming from Paypal:

    From: <phishme998809@gmail.com> Paypal Security

    ..

    Will "look" coming from paypal and will have DKIM + DomainKeys + SPF all perfectly verified.

    Paris, because I write from there.

  15. Anonymous Coward
    Anonymous Coward

    RE: ebay investigations

    Submit a complaint to the Financial Ombudsman Service http://www.financial-ombudsman.org.uk/ eventually (several months later) PayPal refunded me

  16. This post has been deleted by its author

  17. Anonymous Coward
    Happy

    Re: Bill Bennett

    OMG Bill. Just... OMG. Wow, that is classic!

  18. Jay Zelos

    SPF

    An SPF record should provide details of the mail servers permitted to send on behalf of a given domain. It's not a complete solution, but at least provides some assistance to combating spam. SenderID is not exactly the same as it uses a different approach to identify the domain, (PRA). Unfortunately they both use spf1 which causes confusion.

  19. Anonymous Coward
    Anonymous Coward

    Nigeria

    I've gotten some impressive 419s lately, which instructed me to stop contact with the people in Nigeria who are ripping me off, and only communicate with THEM... gotta give 'em credit for chutzpa!

  20. Kilgaard
    Unhappy

    @@ spf (by Olivier)

    > The big issue ( imho ) with them are:

    >

    > a) implementation costs for sender.

    >

    > b) cpu costs for the sender. If you send many emails, it is very expensive in terms of ressource to compute these signatures

    >

    >

    Anything that makes it harder for SPAMMERS to SEND email looks good to me. The major cause of spam is that it is just too easy/cheap to send spam. If the protocol causes additional cost (even in terms of cpu load) to the sender of emails then this will greatly impact the profitability of spam sending.

    That this cost would have to be carried by legitimate email senders also is unfortunate, but a necessary price to pay.

    Of course, somebody will probably point out that the CPU costs for bot-spammers is almost zero anyway because they are just using their zombie hosts CPUs.

  21. Allan Dyer
    Gates Horns

    @Jay Zelos

    Yep. Good summary.

    I think we're in the "Extinguish" phase, where the confusion caused by M$ wipes out a promising standard they didn't like.

  22. Anonymous Coward
    Anonymous Coward

    Email Forwarding

    I wondered why I was no longer getting any emails at all from Ebay or Paypal and that is because all my mail is forwarded from hotmail to gmail, which fails SenderID and Domainkeys checks as the email comes from a non Ebay or Paypal server.

    I do still get emails from ebay.co.uk, so they have not implemented this yet.

  23. Dave Bell

    Wait until they send out the next customer survey...

    They employ a third-party company of survey specialists (pretty sensible: bad survey design ruins the results), and you get an eBay/Paypal email which doesn't come from eBay/Paypal, and goes on to break pretty well every rule they publish about identifying valid emails.

  24. Anonymous Coward
    Paris Hilton

    Well it's a start at least......

    ...now, when are they going to stop handing over the contents of Gmail accounts to the US Govt?

    (Paris cos she's pretty good at the whole hands-on full disclosure thing too)

  25. Olivier
    Gates Horns

    @Kilgaard

    > Anything that makes it harder for SPAMMERS to SEND email looks good to me.

    Unfortunately DKIM makes it much harder for legitimate senders than for spammers. If hitting spammers means killing email, what is the point? If you follow your point, then we should move from email to proprietary, secured protocols. Exactly the dream Bill had for many years. The challenge against spam is to make it hard for spammers but let legitimate email thru.

    >Of course, somebody will probably point out that the CPU costs for bot-spammers > is almost zero anyway because they are just using their zombie hosts CPUs.

    Exactly. Cost for spammers is 0. Sending emails via gmail accounts created by hijacked zombie PCs costs 0. And the emails are DKIM / DomainKeys signed from gmail.com! You want to block all emails with a valid DKIM signature for gmail.com domain? It will certainly make it harder for spammers.

    Bill because if he had it his way, smtp would not be used anymore.

This topic is closed for new posts.

Other stories you might like