I use SPF quite a bit, and it usually dumps the paypal and ebay scams quickly.

There's also not much overhead, other than dns (since we're doing rbl lookups anyway)

but how does it help me get my share of 30 million dollars (US) out of the Bank of Nigeria ?

'but how does it help me get my share of 30 million dollars (US) out of the Bank of Nigeria ?'

I hate to see a person such as yourself suffer a misfortune like this. For sure and I can help you with that, all you need to do is email me your bank account details & I will sort it for you.

Who are they to inercept my email?!?

I want all of my email delivered, not rifled through by my postie who then decides in a crackpot fashion which is suitable for me to read.

Send all the spam through!

I Love It!!!

DKIM is not specific to eBay or Gmail, I have had it with our email inspection provider Citrus for well over a year. As already commented SPF should also be implemented, honestly how hard is it to create a dns record? That eBay and PhishPal have only just been arsed to implement some of the basics of email security is all the evidence you need that they couldn't give a toss about their customers being defrauded. This extends to all the retail banks, next time one of them bleats on about 'customer care' or 'security' ask them why they have not deployed simple measures such as this, there is no downside for customers who do not have DKIM or SPF capability, the answer is that the banks don't give a monkeys about phishing either.

Oh, and if some Micro$oft muppet turns up bleating on about 'Sender ID' explain to them that there was an existing, public, royalty free standard called SPF and that implementing a Micro$oft specific 'standard' and then refusing to support anything else won't help them or the rest of the world and no, you won't be coming to shore up their monopoly. If that doesn't get rid of them then ask about their pay to spam program on Hotmail where you can pay to 'register' your domain so email gets through and them spam all you like.

Actually, I have a contact working in the Bank of Nigeria who assures me that your $ 30 million (US) are secured, and awaiting transfer immediately to your bank account should you wish to recieve it. Just send a signed letter, including your bank account number, NI Number, Pin Number, date of birth, 3 utility bills, a photocopy of your passport, and your driving licence to:

D OdgyForkers, London. PO BOX 666

And await your millions.

If those twats got their mail servers DNS records setup properly then all mail servers could just reject out of hand any email claiming to come from their servers where the reverse DNS fails. Trouble is since eBay and Paypal are run by amatuers who shouldn't even be allowed on the internet, some mail servers are correctly configured and others aren't (note the lack of consistency here !). Get that sorted and it's not just Gmail who would benefit.

Trouble is eBay is to busy aiding and abetting in the selling of counterfeit goods (according to the EU) to bother with troublesome little things like security.

Only one auction site on the 'net, just like there is only one Paris all over the 'net

...I somehow doubt it. Around 90% of the spoofed emails I get are not from paypal.com or ebay.com.

Paris, cause she doesn't engage in pointless PR.

When you file a claim under ebay's "buyer protection" plan, they send you a mail some time later asking you to fax off details of the transaction to them... This mail sometimes comes from a completely different address range to normal ebay mails, is formatted slightly differently, and likely wont have this domainkeys on it either...

The mail has a deadline, ie you must fax the details they ask for within 14 days or your claim will be denied, but because the mail looks suspicious and asks you to send personal information to an arbitrary phone number some people will question it's validity.... ebay won't answer this question, i asked several times and got no response resulting in my claim being cancelled.

"Oh, and if some Micro$oft muppet turns up bleating on about 'Sender ID' explain to them that there was an existing, public, royalty free standard called SPF."

Um... what do you think Sender ID is, besides Microsoft-branded SPF?

Plain text email (no HTML!)

Be VERY wary of ANY email that is addressed to "Undisclosed Recipients".

If the eBay/PayPal people would do the first, it would cut down on traffic, and be "safer". Of course anything helps!

This is all funny because Google is the biggest origin of spam that I've ever seen. I have all of their mail servers blocked from my mail account to stop the junk flood. Their Usenet service spews thousands of CC phishing posts and spams a day. The infamous Nike shoe phisher has been using Google for years. Google doesn't care how much spam they send as long as it doesn't come back to them.

"there was an existing, public, royalty free standard called SPF"

SPF is hardly a "standard" - it's a half-arsed way to break an existing standard, and breaks a significant amount of legitimate e-mail. (Or it would if it was implemented rigourously, which it isn't, because it dumps too much legitimate e-mail).

Basically SPF is designed to verify that the *ip address* sending an email to an smtp server is "compliant" with a proper *enveloppe*. The enveloppe does not appear in the content of an email.

There are several big problems with this:

a) only the enveloppe is verified, and the enveloppe does not show in the emails in your mailbox, so it does nothing against phishing etc.

b) since it can be very problematic to block ip addresses the spec implements a "soft fail" feature which basically allows bypassing the spf checks. Millions of domains have no spf records, or have records allowing "soft fail". So it is very easy for spammers to pass spf checks.

DKIM / DomainKeys do not check ip addresses nor enveloppes, only headers and body of emails. The big issue ( imho ) with them are:

a) implementation costs for sender. Far from trivial, many buggy/crappy tools and libs here and there, few efficient implementations, and a configuration is required per domain on each server which will send your emails..

b) cpu costs for the sender. If you send many emails, it is very expensive in terms of ressource to compute these signatures

c) few recipients check these records anyway. Yahoo and Gmail does, but not hotmail, aol, outlook ..

d) Anyway, a lot of spam and fishing emails are sent with perfect DKIM / Domain Keys records. You just have to send these emails via yahoo or gmail. And *lot* of spam is sent via these accounts. Nothing prevents from sending an email which *looks* like coming from Paypal:

From: <phishme998809@gmail.com> Paypal Security

..

Will "look" coming from paypal and will have DKIM + DomainKeys + SPF all perfectly verified.

Paris, because I write from there.

Submit a complaint to the Financial Ombudsman Service http://www.financial-ombudsman.org.uk/ eventually (several months later) PayPal refunded me

I'd better post this I got a few years ago then...

---------- Forwarded message ----------

From: <paypalofficialnotice@hotmail.com>

Date: Mar 12, 2006 11:22 AM

Subject: Your Account Not Is Working Now Please

>

> Hello Paypal User Your account not is working now!

>

> You must reply this email with check with youre credit card number and

> address and name so i can check youre account is working now.

>

> Youre account will not work soon until account will work when you send number

> and expiry date. We will not be illegally buy with youre card. Beware illegally

> fraud mans and womans! This is a real email! You know because it come from

> pay pal. It says from pay pal at the end so you know it is not fake. If you do

> not send real credit card numbers for check there will be a bad fine.

>

> From pay pal ofices.

> This is a real email.

> paypalofficialnotice@hotmail.com

>

>

OMG Bill. Just... OMG. Wow, that is classic!

An SPF record should provide details of the mail servers permitted to send on behalf of a given domain. It's not a complete solution, but at least provides some assistance to combating spam. SenderID is not exactly the same as it uses a different approach to identify the domain, (PRA). Unfortunately they both use spf1 which causes confusion.

I've gotten some impressive 419s lately, which instructed me to stop contact with the people in Nigeria who are ripping me off, and only communicate with THEM... gotta give 'em credit for chutzpa!

> The big issue ( imho ) with them are:

>

> a) implementation costs for sender.

>

> b) cpu costs for the sender. If you send many emails, it is very expensive in terms of ressource to compute these signatures

>

>

Anything that makes it harder for SPAMMERS to SEND email looks good to me. The major cause of spam is that it is just too easy/cheap to send spam. If the protocol causes additional cost (even in terms of cpu load) to the sender of emails then this will greatly impact the profitability of spam sending.

That this cost would have to be carried by legitimate email senders also is unfortunate, but a necessary price to pay.

Of course, somebody will probably point out that the CPU costs for bot-spammers is almost zero anyway because they are just using their zombie hosts CPUs.

Yep. Good summary.

I think we're in the "Extinguish" phase, where the confusion caused by M$ wipes out a promising standard they didn't like.

I wondered why I was no longer getting any emails at all from Ebay or Paypal and that is because all my mail is forwarded from hotmail to gmail, which fails SenderID and Domainkeys checks as the email comes from a non Ebay or Paypal server.

I do still get emails from ebay.co.uk, so they have not implemented this yet.

They employ a third-party company of survey specialists (pretty sensible: bad survey design ruins the results), and you get an eBay/Paypal email which doesn't come from eBay/Paypal, and goes on to break pretty well every rule they publish about identifying valid emails.

...now, when are they going to stop handing over the contents of Gmail accounts to the US Govt?

(Paris cos she's pretty good at the whole hands-on full disclosure thing too)

> Anything that makes it harder for SPAMMERS to SEND email looks good to me.

Unfortunately DKIM makes it much harder for legitimate senders than for spammers. If hitting spammers means killing email, what is the point? If you follow your point, then we should move from email to proprietary, secured protocols. Exactly the dream Bill had for many years. The challenge against spam is to make it hard for spammers but let legitimate email thru.

>Of course, somebody will probably point out that the CPU costs for bot-spammers > is almost zero anyway because they are just using their zombie hosts CPUs.

Exactly. Cost for spammers is 0. Sending emails via gmail accounts created by hijacked zombie PCs costs 0. And the emails are DKIM / DomainKeys signed from gmail.com! You want to block all emails with a valid DKIM signature for gmail.com domain? It will certainly make it harder for spammers.

Bill because if he had it his way, smtp would not be used anymore.