Yahoo!, eBay, PayPal team for anti-phish push

By Stephen Withers
Thursday, 04 October 2007 01:47

Security

Users of Yahoo! Mail should start to see fewer phishing attempts targeting their eBay and PayPal accounts.

Yahoo Mail is today applying the DomainKeys authentication technology to block emails purporting to be from eBay or PayPal.

DomainKeys allows an email server to verify that an email really did originate from the domain it claims to be from. So a phishing email coming from a zombie PC connected to an ISP cannot include a valid signature to confirm it came from PayPal.

Once a domain declares it will add a DomainKeys signature to all outgoing emails, the operators of other email servers and services can choose to ignore any emails that purport to be from that domain but which do not include a verified signature.

"eBay and PayPal's adoption of digital email signing technology and this aggressive move on the part of Yahoo! Mail is a significant step forward in the fight to protect consumers against email-based crimes," said Michael Barrett, chief information security officer at PayPal, an eBay subsidiary.

"While the battle against phishing and identity theft scammers will continue to require a multi-faceted approach, today's announcement demonstrates the power of DomainKeys and the security benefits to be gained by email users worldwide."

eBay also welcomed the announcement.

"Through industry cooperation we can collectively stamp out phishing and other e-mail scams," said Dave Cullinane, eBay's chief information security officer. "We welcome Yahoo!'s commitment to this endeavour and applaud its leadership role within the Internet service provider community."

The feature is being rolled out to Yahoo! Mail's international network over the next several weeks, and users of the Australian Yahoo!7 Mail service are be among the first to benefit.

"Yahoo!7 Mail is offering Australians a safer Web mail service by reducing the risk of phishing scams. This will benefit not only eBay and PayPal users but the wider Yahoo!7 Mail community as well. We will continue to work towards protecting people from email scams and facilitating the continued industry adoption of DomainKeys," said Mark Helvadjian, head of communications at Yahoo!7.

DomainKeys Identified Mail (DKIM), a combination of Yahoo!'s DomainKeys and Cisco's Identified Internet Mail, became an IETF Proposed Standard in February 2007. The first interoperability testing event is being held later this month.