Ben Laurie blathering

Paypal Show How Not To Fight Phishing

Apparently, Paypal want mail providers to block mail that is not signed by them, in order to fight phishing. This just makes me tired: why go to all the effort of getting people to sign up to this when it patently isn’t going to help?

So, why doesn’t it help? Because you clearly have to link the signatures to the purported origin of the email – there’s no other handle to bind the key to. But why would the scammer use a Paypal domain in their email? Obviously users don’t check with great care where their email comes from, or phishing wouldn’t be a problem in the first place. In fact, Paypal don’t even own (amazingly), so its not like its hard for phishers to find a plausible domain to send their mail from.

So, if Paypal succeed in this massive waste of time and energy, what will be the result? Yep, Paypal phishing will no longer have “” in the email address of the sender. I can hardly wait.


  1. Sarcasm alert!

    What we really need is Extended Validation DKIM signatures. That way users can see a green From: line from, but not from

    Second thought: that might not be totally sarcastic.

    Comment by Eric Norman — 29 Mar 2007 @ 21:32

  2. Ben,

    what do you suggest paypal do to help block the phishing emails?

    or is it all a major waste of time and effort and should we just give up as they can’t be stopped.

    Comment by Ian Holsman — 30 Mar 2007 @ 2:12

RSS feed for comments on this post.

Sorry, the comment form is closed at this time.

Powered by WordPress