Google Works With eBay And PayPal To Curtail Phishing

It's sometimes easy to identify a phish. An urgent email from Washington Mutual about my account? No account with that bank, can't be real. An urgent message from PayPal? Uh oh.

According to Google's official blog, Gmail users will no longer have to worry about fake messages pretending to be from PayPal or eBay. Google displays a message to its Gmail users above the email warning that the message may not be from the sender that it claims. However, if the message sender claims to be eBay or PayPal, Google will now automatically check to see if the message has a DomainKey signature. If the message doesn't, the message will just disappear, leaving users with a clean Inbox and the security of knowing that the ones that did make it through really are from eBay and PayPal.

DomainKeys is an e-mail authentication system designed to verify the DNS domain of an e-mail sender and the message integrity. Basically, the system lets mail servers verify that the server really did send that message, and that spammers haven't spoofed the return address. DomainKeys Identified Mail has an encrypted signature that tells the receiving mail server which authorized server sent that mail. So if the signature is invalid, then the receiving mail server can confidently trap the message as spam or reject it outright. Yahoo! (which owns the patent) has long been a proponent on this system, but many ISPs also like SPF (Sender Policy Framework), and Microsoft backs SenderID.

SPF, DKIM, and SenderID are not the cure-all for spam, and they aren't intended to be. But they are effective in weeding out spam in some cases. They don't work in the same way, but towards the same goal.

SPF has recently come under fire for not being effective for users who redirect all mail to Gmail or other ISPs because the server verification breaks and Google automatically rejects those forwarded messages. This wouldn't apply for DKIM, since DKIM is an encrypted signature in the data of the message, independent of a server lookup.

It's about time, though. eBay (which owns PayPal) announced plans for adopting DKIM in October 2007. Making an announcment and actually implementing on every single one of its servers is not the same thing, though, and until there was some assurance that eBay really was using DKIM, there was no way to accurately and thoroughly figure out what was fake eBay and what was real. Thanks to this agreement with Google, other ISPs also scanning DKIM now have a way to get rid of all the fake eBay and PayPal messages. If only more major companies would do it from their end. It would be nice to see those Bank of America messages disappear from my inbox.