Gmail, PayPal and Ebay embrace DomainKeys to fight phishing emails

Brad Taylor, Google’s Gmail Spam Czar, has just posted details on the ongoing cooperation with PayPal and Ebay, two ofSender ID (SIDF) and DomainKeys Identified Mail (DKIM) the most targeted brands in phishing emails, the effect of which is rejecting compared to flagging as spam each and every email pretending to be coming from paypal.com and ebay.com as well as from their international domain extensions. It’s a win-win-win move for users, and the companies themselves which are now digitally signing all of their emails, making phishing emails spoofing their origin easier to detect :

“Since 2004, we’ve been supporting email authentication standards including DomainKeys and DomainKeys Identified Mail (DKIM) to verify senders and help identify forged messages. This is a key tool we use to keep spam out of Gmail inboxes. But these systems can only be effective when high volume senders consistently use them to sign their mail — if they’re sending some mail without signatures, it’s harder to tell whether it’s phishing or not. Well, I’m happy to announce today that by working with eBay and PayPal, we’re one step closer to stopping all phishing messages in their tracks.

Now any email that claims to come from “paypal.com” or “ebay.com” (and their international versions) is authenticated by Gmail and — here comes the important part — rejected if it fails to verify as actually coming from PayPal or eBay. That’s right: you won’t even see the phishing message in your spam folder. Gmail just won’t accept it at all. Conversely, if you get an message in Gmail where the “From” says “@paypal.com” or “@ebay.com,” then you’ll know it actually came from PayPal or eBay. It’s email the way it should be.”

As Google put it - it’s been working so well that you wouldn’t be able to notice it. Moreover, despite that Sender ID and DomainKeys Identified Mail are well known concepts for validating the sender, and consequently capable of blocking huge percentage of emails that pretend to have been sent from legitimate emails, just like DNSSEC which emphasizes on authenticating DNS data, it’s all a matter of implementation on a large scale. Or the lack of.

Read the rest of this entry

[Source: zdnet]


0 comments