Yahoo! Teams! With! eBay! And! PayPal! To! End! Phishing! Yahoo! has teamed with eBay and PayPal to save you from phishing scams. If you use Yahoo! Mail. And the scams involve eBay or PayPal. Yesterday, the three companies announced that, over the next several weeks, Yahoo! Mail users worldwide "will begin receiving fewer fake e-mails claiming to be sent by eBay and PayPal." You see, …
Why would yahoo sit on its thumbs so long over the issue? I've been using DomainKeys and SPF for over a year to block the brunt of the phishing hitting my company. Ebay must be pretty royally pissed after spending effort to implement it, when Yahoo's done nothing to block it despite all the initial hype.
Having two competing anti-phishing proposed standards is kind of lame, though.
No HTML email. None. Only plain text. Can't disguise anything in plain text. No pictures, no nothing. It is very obvious.
Why this isn't obvious to everyone is beyond me. If you can't put the URL's in plain text then you can't obliterate the URL and disguise it somehow.
Thankfully El Reg sends plain text emails.
I'm glad that somethings being done - but it's shame they use it for self promotion. It's too important for that.
Time that ALL the players got together and agreed a way forward. That's the only way it'll work!
I don't mind 2,3 even four standards, so long as they don't work against each other.
But one is better!
All on-line shopping and banking. In fact stop any and all e-commerce. simple. I couldn't give a fig if this happened within the next 5 minutes, even though it means I would have to find another job.
Seriously, revise the email standards and allow only plain text. Any and every email containing html should get deleted at the very first relay the email hits.
Although this would help, there is always the issue of attachments to contend with. I wonder how users, without thought, just open and run attachments regardless of source.
Which "joe sixpack" or Radio One listener could resist an attachment such as: (Current Female/Male Flavour of the month) gets her tits/his cock out.exe. I know I can't. I've even removed my anti virus software because it stopped me running them for some reason.
SPF has some issues, but minor, except for a few people. But incredibly workable. If more ISPs used it, the world would be a nicer place. Yes, spammers could register their own domains and set up their own MX records, but I wouldn't get an email from hsbc.co.uk (just saw that one in my junk file about 10 minutes ago).
My spam processor, part of Eudora, does a pretty good job. But something like SPF would be even better. And if I could get ISPs to actually do something about zombies on their network, things would get even better.
Whatever happened to caveat lector? There are laws against fraud of course, and rightfully so, but the burden of protecting oneself from scam artists ultimately falls to the individual.
To try to find a technical solution to the problem of basic human gullibility is, frankly, dumb. Before email, there were still direct mail schemes, telephone scams, and direct con games.
The problem has nothing to do with IT, technology, HTML in emails, URL construction, or SPF records. The problem is that as long as there's a tiny percentage of extremely gullible people, fraud will continue to be profitable, and criminals will continue to perpetrate it.
Repeat after me once more, class: "If something seems to good to be true, it's not. If someone tries to scare you into giving them money, you shouldn't. Don't let yourself be tricked, and no one will trick you."
Considering the amount of spam I get which is sent from authenticated Yahoo webmail accounts, or sometimes even authenticated Yahoo SMTP accounts, I feel they at least could do much to clean up their mail sending act.
I already run Domainkeys checks on Yahoo, Ebay and Paypal (and others) and receive little forgery spam as a result - only spam sent from Yahoo's users which has received the slight scoring boost I give Yahoo Domainkeys mail.
So they have now publicly claimed they will prevent phishing attacks (see your headline for what the punters will actually hear; no matter the subtle implementation details...) - so will their users feel safer? And more inclined to think that the login email from eBay/PayPal is legit?
The Register 
Biting the hand that feeds IT
Copyright. All rights reserved © 1998–2024
