The online auction site and web pay service are working with Yahoo to use the firm's anti-phishing technology.
The firms are supporting the emerging standard known as domain keys, which block fake e-mails by validating the sender with a digital signature.
Spammers hide their identity by using a false, or spoofed, address in the millions of messages they send out.
The technology, called the DomainKeys Identified Mail (DKIM), will be available to millions of Yahoo Mail users worldwide in the coming weeks.
"It is a big step forward for consumers in defence against the bad guys," John Kremer, vice president of Yahoo Mail, told Reuters news agency.
Targeted companies
According to security analysts Trend Micro, eBay and its popular payment service Paypal are the two most targeted companies for phishing e-mails in the last months.
E-mail analysts MessageLabs reports that one in every 173 e-mails sent around the world each day contains some form of phishing attacks.
| | Two years ago if you asked companies whether they were using e-mail authentication, most people wouldn't have cared Chenxi Wang, Forrester |
"Our message to both businesses and consumers is: beware of unexpected or strange-looking e-mails regardless of their sender and never open attachments or links contained in these email messages", said David Sancho, of TrendLabs at Trend Micro.
A recent YouGov poll, conducted on behalf of USwitch.com, reported that 35% of 2,500 people surveyed in the UK said they received more than 10 spam e-mails every day.
Yahoo's system is designed to automatically detect potential phishing attacks without relying on the consumer to intervene.
Encrypted signatures
"If the consumer doesn't receive an e-mail in their inbox then it is very hard for the phisher to victimise them," Michael Barrett, PayPal's chief information security officer.
DKIM uses encrypted digital signatures to prove a message's origin.
Although 90 to 99% of e-mail comes from senders known to the recipient, establishing the identity of a sender remains a key consideration in the protection against spam.
Spammers get away with sending spoofed e-mails because mail servers only check if a domain mentioned in these spoofed addresses - such as @madeupmailname.com - is known to be used by spammers.
DKIM lets honest e-mail senders prove they sent a message by encrypting a two-part signature, or key, in a selected part of the mail.
The e-mail provider, such as Yahoo, puts an encrypted private key into the e-mail when it is sent.
It is linked to a public key held by the internet's domain name system - the phonebook of the internet.
The mail server which receives the e-mail checks to ensure that the private and public keys match, proving that the message has come from a genuine sender.
'Coming around'
But in order for the technology to work, both the sender and recipient need their mail services to be signed up to DKIM.
The technology was developed by Yahoo and is backed by AOL, Google, IBM, Sendmail an Verisign.
A second standard, called Sender Policy Network (SPF), is backed by Microsoft, Amazon and eBay, which supports both forms of protection.
Digitally signed e-mails are expected to become the norm in the coming years.
Chenxi Wang, a security analyst with Forrester Research, told Reuters: "Two years ago if you asked companies whether they were using e-mail authentication, most people wouldn't have cared.
"The industry is slowly coming around," Mr Wang said.
"EBay and PayPal are some of the first to actively block unauthenticated e-mails."
No comments:
Post a Comment