Just in time for the holiday shopping season, Yahoo Mail users may be able to expect fewer fraudulent e-mails purporting to be from eBay and PayPal. That is, if things go according to plans announced today by the three companies.
Yahoo, eBay and eBay subsidiary PayPal said they would use DomainKeys’ e-mail authentication technology to block phishing messages from malicious domains. Yahoo said the technology upgrade would be rolled out globally over the several weeks to all Yahoo Mail users, enabling the e-mail provider to verify the domain from which an e-mail claims to be sent.
“Yahoo! Mail is now blocking unauthenticated messages purporting to be from eBay and PayPal based on the DomainKeys signatures, and we are able to do so because eBay and PayPal are now confident that they are signing 100 percent of their legitimate outbound mail,” Mark Risher, Yahoo! Mail group product manager, told InternetNews.com.
“We think this will move the needle in terms of consumer protection and that eBay and PayPal customers worldwide using Yahoo! Mail will now have a safer e-mail experience because of it,” he added. “They will begin receiving fewer fake e-mails claiming to be sent by eBay and PayPal, increasing their trust in the messages they do receive.”
If the plan to weed out fake e-mails works, it may spell some relief for users long suffering from the threat of phishing. As long ago as January 2006, research firm Netcraft identified eBay and PayPal as top phishing targets, representing 62 percent of all phishing attacks in 2005.
Nevertheless, the effort may seem to have been slow in coming. The DomainKeys Identified Mail (DKIM) authentication standard that Yahoo, eBay and PayPal today agreed to adopt evidently had been ready for use for more than a year. In August 2006, the Mutual Internet Practices Association (MIPA), which developed the DKIM technical specifications, announced it had completed most of its work.
At the time, MIPA officials told InternetNews.com that the spec was stable and “just about done.”
However, it wasn’t until May that the specification — which Yahoo representatives helped draft along with AOL, Cisco, Microsoft and others — reached the final stages of being accepted by the IETF, the organization responsible for hammering out many of the Internet’s standards.
Despite the elapsed time, today’s news still could benefit Yahoo as it competes with rivals like Google, which did not participate in today’s announcement. Google could not be reached for comment.
“Yahoo! Mail is the first Web mail service to block these types of malicious messages for eBay and PayPal through the use of DomainKeys e-mail authentication technology,” Risher said. “We also hope this news will help to build momentum for continued industry adoption.”
Yahoo last dealt with phishing in June when security researcher Aditya K Sood posted a security advisory on a public mailing list warning that, “a severe redirection and phishing vulnerability [has] been found in Yahoo Network.”
Sood said at the time that the vulnerability could have allowed some URLs on Yahoo’s pages to be manipulated to redirect traffic for malicious purposes. Yahoo acknowledged the issue and quickly moved to close down the threat.
InternetNews.com Senior Editor Sean Michael Kerner contributed to this article.
